How to fix CVE-2025-64427?

Within 24 hours: Identify and inventory all ZimaOS deployments in your environment and isolate affected systems from production networks if operationally feasible. Within 7 days: Implement compensating controls including network segmentation, restrict administrative access, enable enhanced logging and monitoring, and establish daily vulnerability tracking for patch availability. Within 30 days: Develop a remediation plan including upgrade to patched ZimaOS versions when released, or evaluate alternative operating systems if patches remain unavailable.

Is Zimaos affected by CVE-2025-64427?

CVE-2025-64427 is a HIGH severity vulnerability affecting ZimaOS systems with a public exploit available and no patch currently available.

CVE-2025-64427

HIGH

2026-03-02 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 05, 2026 - 15:18 vuln.today

Public exploit code

CVE Published

Mar 02, 2026 - 17:16 nvd

HIGH 7.1

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.

Analysis

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]

Technical Context

Classified as CWE-200 (Information Exposure). Affects Zimaos. ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.

Affected Products

Vendor: Zimaspace. Product: Zimaos.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: +20

CVE-2025-64427 vulnerability details – vuln.today

Back

CVE-2025-64427

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-64427

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code