Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.
Published: 2026-01-08
Score: 9.4 Critical
EPSS: 14.1% Moderate
KEV: No
Impact: Unauthorized Access via Authentication Bypass
Action: Restrict Accounts
AI Analysis

Impact

The vulnerability in ZimaOS versions up to 1.5.0 allows a user to bypass authentication when the login username matches a known system service account because the password validation result is misinterpreted or ignored. Any actor who knows one of these system account names can log in using an arbitrary password, thereby gaining unauthorized system access. This flaw enables attackers to compromise confidentiality, integrity, and availability of the device. The weakness is classified as CWE‑287, Authentication Bypass.

Affected Systems

IceWhaleTech ZimaOS, an operating system for Zima devices and x86‑64 systems with UEFI, is affected. All releases up to and including version 1.5.0 contain the flaw; no patched version is presently available.

Risk and Exploitability

The vulnerability has a CVSS score of 9.4 and an EPSS probability of 14 %, indicating a high likelihood of exploitation. It has not been listed in the CISA KEV catalog. The flaw can be exploited via the login interface, and if that interface is exposed remotely, attackers may gain full system authorization. The risk remains high until a vendor patch or configuration mitigation is applied.

Generated by OpenCVE AI on April 18, 2026 at 07:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or rename all system service accounts that can authenticate through the ZimaOS login interface.
  • Enable multi‑factor authentication or enforce strong password policies to ensure that incorrect credentials cannot grant access to these accounts.
  • Restrict the login service to trusted IP ranges and monitor for attempts using known system account names.
  • Notify IceWhaleTech of the vulnerability and apply any future patches as soon as they become available.

Generated by OpenCVE AI on April 18, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Zimaspace
Zimaspace zimaos
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:*
Vendors & Products Zimaspace
Zimaspace zimaos

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Icewhaletech
Icewhaletech zimaos
Vendors & Products Icewhaletech
Icewhaletech zimaos

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.
Title ZimaOS has Authentication Bypass via System-Level Username
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Icewhaletech Zimaos
Zimaspace Zimaos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:55:23.245Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21891

cve-icon Vulnrichment

Updated: 2026-01-08T14:52:30.079Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T14:15:57.403

Modified: 2026-01-12T17:13:00.240

Link: CVE-2026-21891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses