Plataforma
linux
Componente
zimaos
Corregido en
1.5.1
CVE-2025-64427 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems. This flaw allows an authenticated local user to craft malicious requests targeting internal IP addresses, potentially exposing sensitive internal services. The vulnerability impacts versions of ZimaOS prior to 1.5.0, and a patch is now available.
The SSRF vulnerability in ZimaOS allows an attacker with local, authenticated access to craft requests that bypass intended security boundaries. By manipulating the target URL, an attacker can send requests to internal services that are not meant to be accessible from the outside. This could include accessing internal APIs, databases, or other sensitive resources. The potential impact ranges from information disclosure to potentially gaining control over internal systems, depending on the services exposed and the attacker's ability to exploit them. This vulnerability shares similarities with other SSRF exploits where internal network scanning and service discovery are leveraged to identify exploitable targets.
CVE-2025-64427 was publicly disclosed on 2026-03-02. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation, but the SSRF nature of the vulnerability suggests a potential for medium-level exploitation probability given local authenticated access is required. It is not currently listed on the CISA KEV catalog.
Organizations and individuals deploying ZimaOS in environments with sensitive internal services are at risk. This includes users who have not yet upgraded to version 1.5.0 and those who have not implemented compensating controls such as network segmentation or WAF rules to restrict outbound traffic.
• linux / server:
journalctl -u zimaos | grep -i "internal ip address"• linux / server:
ps aux | grep -i "internal ip address"• generic web:
curl -I http://<zimaos_ip>/internal_service_endpoint• generic web:
grep -i "internal ip address" /var/log/nginx/access.logdisclosure
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-64427 is to upgrade ZimaOS to version 1.5.0 or later, which includes the necessary fixes to prevent the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the ZimaOS instance using a firewall or network segmentation. Additionally, configure a Web Application Firewall (WAF) to filter requests containing suspicious URLs or internal IP addresses. Regularly review and audit ZimaOS configurations to ensure adherence to security best practices.
Actualice ZimaOS a la versión 1.5.0 o posterior. Esta versión contiene la corrección para la vulnerabilidad SSRF. No hay parches disponibles para versiones anteriores.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-64427 is a Server-Side Request Forgery vulnerability in ZimaOS versions prior to 1.5.0, allowing attackers to target internal IP addresses.
You are affected if you are running ZimaOS version 1.5.0 or earlier and have not implemented mitigating controls.
Upgrade ZimaOS to version 1.5.0 or later. Consider temporary workarounds like firewall rules or WAF configuration if immediate upgrade is not possible.
Currently, there are no known active exploits or campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the official ZimaOS documentation and security advisories on their website for the latest information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.