The vulnerability in ZimaOS versions up to 1.5.0 allows an attacker to bypass authentication when the username matches a known system service account. During login, the system disregards or misinterprets the password validation step for these users, permitting access with any password. As a consequence, anyone who knows one of the common system usernames can gain full administrative privileges, which threatens confidentiality, integrity, and availability of the device. Based on the description, it is inferred that this flaw can be exploited simply by submitting a login request with a valid system account name and an arbitrary password, without the need for additional privileges or system exploitation. Affected systems include IceWhaleTech ZimaOS, an operating system for Zima devices and x86‑64 UEFI systems. All releases up to and including version 1.5.0 contain the flaw, and no patched version is currently available. The risk is significant: a CVSS score of 9.4 reflects critical impact and easy exploitation. The EPSS probability of 6 % indicates a non‑trivial likelihood of attacks. The vulnerability is not listed in the CISA KEV catalog, but the high severity and the presence of remote login interfaces make it a prime target for adversaries. The most likely attack vector is the exposed login service; if this interface is reachable over a network, attackers can acquire full control of the device without additional privileges.

IceWhaleTech ZimaOS on Zima devices and x86‑64 UEFI systems, all releases up to version 1.5.0

This flaw carries a CVSS score of 9.4 and an EPSS score of 6 %, indicating a high probability of exploitation, especially when the login interface is exposed remotely. Although not yet listed in the CISA KEV catalog, the ease of bypassing authentication makes it a compelling target for attackers seeking to gain full system control.