CVE-2025-64427 HIGH

CVE-2025-64427: ZimaOS is vulnerable to Server-Side Request Forgery (SSRF)

Vendor Icewhaletech

Product ZimaOS

Weakness CWE-918 · SSRF

Published March 2, 2026

Last update March 3, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

What the vulnerability does

01Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.

Key dates

02Disclosure timeline

March 2, 2026 CVE published

March 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64427

Related vulnerabilities

CVE-2025-64427: ZimaOS is vulnerable to Server-Side Request Forgery (SSRF)

01Description

02Disclosure timeline

03References

04Related CVE