CVE-2026-28442
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be bypassed. By altering the path parameter in the delete request, internal OS files and directories can be removed successfully. The backend processes these manipulated requests without validating whether the targeted path belongs to restricted system locations. This demonstrates improper input validation and broken access control on sensitive filesystem operations. No known public patch is available.
Analysis
ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass UI restrictions and remove critical system files and directories. Public exploit code exists for this vulnerability, and the lack of input validation on path parameters enables attackers with API access to potentially render the system unbootable or cause denial of service. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all ZimaOS 1.5.2-beta3 deployments and assess their criticality and exposure to untrusted users. Within 7 days: Implement network segmentation to restrict administrative access, disable unnecessary user privileges, and enable comprehensive audit logging of file system operations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today