top of page
perceptive_background_267k.jpg

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in …

Published:

1 March 2026 at 23:00:00

Alert date:

2 March 2026 at 18:02:45

Source:

nvd.nist.gov

Click to open the original link from this advisory

Operating Systems, Mobile & IoT

ZimaOS version 1.5.2-beta3 contains a path traversal vulnerability where API restrictions can be bypassed to create files in sensitive system directories. The frontend enforces path restrictions but the API does not properly validate target paths, allowing unauthorized operations on critical directories like /etc and /usr. This affects ZimaOS, a fork of CasaOS for Zima devices and x86-64 systems. No patch is currently available for this vulnerability.

Technical details

Mitigation steps:

Affected products:

ZimaOS

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-28286
https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page