1.5.1
CVE-2025-64427 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems. This flaw allows an authenticated local user to craft malicious requests targeting internal IP addresses, potentially exposing sensitive internal services. The vulnerability impacts versions of ZimaOS prior to 1.5.0, and a patch is now available.
The SSRF vulnerability in ZimaOS allows an attacker with local, authenticated access to craft requests that bypass intended security boundaries. By manipulating the target URL, an attacker can send requests to internal services that are not meant to be accessible from the outside. This could include accessing internal APIs, databases, or other sensitive resources. The potential impact ranges from information disclosure to potentially gaining control over internal systems, depending on the services exposed and the attacker's ability to exploit them. This vulnerability shares similarities with other SSRF exploits where internal network scanning and service discovery are leveraged to identify exploitable targets.
CVE-2025-64427 was publicly disclosed on 2026-03-02. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation, but the SSRF nature of the vulnerability suggests a potential for medium-level exploitation probability given local authenticated access is required. It is not currently listed on the CISA KEV catalog.
Organizations and individuals deploying ZimaOS in environments with sensitive internal services are at risk. This includes users who have not yet upgraded to version 1.5.0 and those who have not implemented compensating controls such as network segmentation or WAF rules to restrict outbound traffic.
• linux / server:
journalctl -u zimaos | grep -i "internal ip address"• linux / server:
ps aux | grep -i "internal ip address"• generic web:
curl -I http://<zimaos_ip>/internal_service_endpoint• generic web:
grep -i "internal ip address" /var/log/nginx/access.logdisclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-64427 is to upgrade ZimaOS to version 1.5.0 or later, which includes the necessary fixes to prevent the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the ZimaOS instance using a firewall or network segmentation. Additionally, configure a Web Application Firewall (WAF) to filter requests containing suspicious URLs or internal IP addresses. Regularly review and audit ZimaOS configurations to ensure adherence to security best practices.
将 ZimaOS 更新到 1.5.0 或更高版本。此版本包含 SSRF 漏洞的修复。以前的版本没有可用的补丁。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-64427 is a Server-Side Request Forgery vulnerability in ZimaOS versions prior to 1.5.0, allowing attackers to target internal IP addresses.
You are affected if you are running ZimaOS version 1.5.0 or earlier and have not implemented mitigating controls.
Upgrade ZimaOS to version 1.5.0 or later. Consider temporary workarounds like firewall rules or WAF configuration if immediate upgrade is not possible.
Currently, there are no known active exploits or campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the official ZimaOS documentation and security advisories on their website for the latest information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。