What is the CVSS score of CVE-2025-64427?

CVE-2025-64427 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Zimaos are affected by CVE-2025-64427?

CVE-2025-64427 is a HIGH severity vulnerability affecting ZimaOS systems with a public exploit available and no patch currently available.

Is there a public PoC exploit available for CVE-2025-64427?

Yes, a public proof-of-concept exploit is available for CVE-2025-64427. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-64427?

Within 24 hours: Identify and inventory all ZimaOS deployments in your environment and isolate affected systems from production networks if operationally feasible. Within 7 days: Implement compensating controls including network segmentation, restrict administrative access, enable enhanced logging and monitoring, and establish daily vulnerability tracking for patch availability. Within 30 days: Develop a remediation plan including upgrade to patched ZimaOS versions when released, or evaluate alternative operating systems if patches remain unavailable.

Zimaos CVE-2025-64427

HIGH

Information Exposure (CWE-200)

2026-03-02 security-advisories@github.com

Information Disclosure Zimaos

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 05, 2026 - 15:18 vuln.today

Public exploit code

CVE Published

Mar 02, 2026 - 17:16 nvd

HIGH 7.1

DescriptionGitHub Advisory

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.

AnalysisAI

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]

Technical ContextAI

Classified as CWE-200 (Information Exposure). Affects Zimaos. ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-64427 vulnerability details – vuln.today

Back