cbcvebase.
CVE-2026-21891
published 2026-01-08

CVE-2026-21891: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.17%
80.0th percentile
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.

Affected

2 ranges
VendorProductVersion rangeFixed in
icewhaletechzimaos<= 1.5.0
zimaspacezimaos<= 1.5.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /v1/users/login
otherusername=root&password=<any>
  • Detect authentication bypass attempts against ZimaOS login endpoint: look for POST requests to /v1/users/login with Content-Type: application/json containing known system service account usernames (e.g., 'root') and any arbitrary password value.
  • A successful exploitation response will return HTTP 200 with a JSON body containing the fields 'success', 'username', and 'created_at' simultaneously, and Content-Type: application/json.
  • Use Shodan query 'html:"ZimaOS"' to identify internet-exposed ZimaOS instances potentially vulnerable to this authentication bypass.
  • The vulnerability affects ZimaOS versions up to and including 1.5.0; fingerprint targets using CPE cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:*.
  • ·Exploitation requires prior knowledge of a valid system service account username (e.g., 'root'); the bypass only applies to known system service accounts, not arbitrary usernames.
  • ·As of time of publication, no patched version exists; all ZimaOS deployments at version 1.5.0 and below should be considered vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.