CVE-2025-64427 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems. This flaw allows an authenticated local user to craft malicious requests targeting internal IP addresses, potentially exposing sensitive internal services. The vulnerability impacts versions of ZimaOS prior to 1.5.0, and a patch is now available.
The SSRF vulnerability in ZimaOS allows an attacker with local, authenticated access to craft requests that bypass intended security boundaries. By manipulating the target URL, an attacker can send requests to internal services that are not meant to be accessible from the outside. This could include accessing internal APIs, databases, or other sensitive resources. The potential impact ranges from information disclosure to potentially gaining control over internal systems, depending on the services exposed and the attacker's ability to exploit them. This vulnerability shares similarities with other SSRF exploits where internal network scanning and service discovery are leveraged to identify exploitable targets.
CVE-2025-64427 was publicly disclosed on 2026-03-02. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation, but the SSRF nature of the vulnerability suggests a potential for medium-level exploitation probability given local authenticated access is required. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2025-64427 is to upgrade ZimaOS to version 1.5.0 or later, which includes the necessary fixes to prevent the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the ZimaOS instance using a firewall or network segmentation. Additionally, configure a Web Application Firewall (WAF) to filter requests containing suspicious URLs or internal IP addresses. Regularly review and audit ZimaOS configurations to ensure adherence to security best practices.
Update ZimaOS to version 1.5.0 or later. This version contains the fix for the SSRF vulnerability. No patches are available for older versions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64427 is a Server-Side Request Forgery vulnerability in ZimaOS versions prior to 1.5.0, allowing attackers to target internal IP addresses.
You are affected if you are running ZimaOS version 1.5.0 or earlier and have not implemented mitigating controls.
Upgrade ZimaOS to version 1.5.0 or later. Consider temporary workarounds like firewall rules or WAF configuration if immediate upgrade is not possible.
Currently, there are no known active exploits or campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the official ZimaOS documentation and security advisories on their website for the latest information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.