Zimaos
Monthly
ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass UI restrictions and remove critical system files and directories. Public exploit code exists for this vulnerability, and the lack of input validation on path parameters enables attackers with API access to potentially render the system unbootable or cause denial of service. No patch is currently available.
ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions and write files to protected system directories such as /etc and /usr. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to modify critical OS files and potentially achieve code execution. No patch is currently available.
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]
ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not properly validated during login. Attackers can access the system using known service account names with any password. PoC available, EPSS 13.6%.
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CVSS 5.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass UI restrictions and remove critical system files and directories. Public exploit code exists for this vulnerability, and the lack of input validation on path parameters enables attackers with API access to potentially render the system unbootable or cause denial of service. No patch is currently available.
ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions and write files to protected system directories such as /etc and /usr. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to modify critical OS files and potentially achieve code execution. No patch is currently available.
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]
ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not properly validated during login. Attackers can access the system using known service account names with any password. PoC available, EPSS 13.6%.
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CVSS 5.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.