CVE-2026-21891
published 2026-01-08CVE-2026-21891: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.17%
80.0th percentile
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icewhaletech | zimaos | <= 1.5.0 | — |
| zimaspace | zimaos | <= 1.5.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts against ZimaOS login endpoint: look for POST requests to /v1/users/login with Content-Type: application/json containing known system service account usernames (e.g., 'root') and any arbitrary password value. ↗
- →A successful exploitation response will return HTTP 200 with a JSON body containing the fields 'success', 'username', and 'created_at' simultaneously, and Content-Type: application/json. ↗
- →Use Shodan query 'html:"ZimaOS"' to identify internet-exposed ZimaOS instances potentially vulnerable to this authentication bypass. ↗
- →The vulnerability affects ZimaOS versions up to and including 1.5.0; fingerprint targets using CPE cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:*. ↗
- ·Exploitation requires prior knowledge of a valid system service account username (e.g., 'root'); the bypass only applies to known system service accounts, not arbitrary usernames. ↗
- ·As of time of publication, no patched version exists; all ZimaOS deployments at version 1.5.0 and below should be considered vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ZimaOS - Authentication Bypass
nuclei·CVSS 9.8
CVE-2026-21891 [CRITICAL] ZimaOS - Authentication Bypass
ZimaOS - Authentication Bypass
ZimaOS <= 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames.
Template:
id: CVE-2026-21891
info:
name: ZimaOS - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
ZimaOS <= 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames.
impact: |
Attackers can gain authenticated access to system service accounts without valid passwords, potentially c
No writeups or analysis indexed.
2026-01-08
Published
Exploited in the wild