PT-2025-38236 · Icewhaletech · Zimaos

Published

2025-09-17

Updated

2025-09-17

CVE-2025-58431

CVSS v4.0

4.8

Vector

AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2 1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-250

Related Identifiers

CVE-2025-58431

Affected Products

Zimaos

PT-2025-38236 · Icewhaletech · Zimaos

Weakness Enumeration

Related Identifiers

Affected Products

References · 2