CVE-2025-58432 MEDIUM

CVE-2025-58432: ZimaOS Privilege Escalation using localhost calls to File API Upload

Vendor Icewhaletech
Product ZimaOS
Weakness CWE-250
Published September 17, 2025
Last update September 17, 2025

CVSS base score

5.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v2_1/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT.

Key dates

02Disclosure timeline

September 17, 2025 CVE published
September 17, 2025 Record updated