CVE-2025-64427 — HIGH (7.1)

Q: How severe is CVE-2025-64427?

CVE-2025-64427 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-64427?

Check the references section above for vendor advisories and patch information. Affected products include: Zimaspace Zimaos.

Vulnerability Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Zimaspace	Zimaos	<= 1.5.0

Related Weaknesses (CWE)

CWE-918 CWE-200

References

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-m8hj-7xg5-p375ExploitMitigationVendor Advisory

FAQ

What is CVE-2025-64427?

CVE-2025-64427 is a vulnerability with a CVSS score of 7.1 (HIGH). ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticate...

How severe is CVE-2025-64427?

CVE-2025-64427 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-64427?

Check the references section above for vendor advisories and patch information. Affected products include: Zimaspace Zimaos.