Cyber Resilience

CVE-2026-28286

HighPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0041 32.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28286 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Zimaspace Zimaos. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28286 is a path validation vulnerability in ZimaOS version 1.5.2-beta3, a fork of CasaOS designed as an operating system for Zima devices and x86-64 systems with UEFI. The frontend UI enforces restrictions to prevent users from creating files or folders in internal OS paths, but the backend API lacks proper validation of target paths. This allows attackers to bypass restrictions by sending crafted requests that target sensitive system directories such as /etc or /usr, enabling unauthorized file or directory creation in locations inaccessible to normal users. The vulnerability is rated 8.5 on the CVSS 3.1 scale (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-73 (External Control of File Name or Path).

A low-privileged authenticated user (PR:L) can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), achieving scope change (S:C) for high confidentiality, integrity, and availability impacts (C:I:A:H). By crafting API requests to specify restricted paths, the attacker can write files or create directories in critical system areas, potentially leading to privilege escalation, persistence, or full system compromise depending on the content written.

The GitHub Security Advisory at https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g details the issue, confirming the API bypass in version 1.5.2-beta3. No patch is publicly available, so practitioners should restrict API access, monitor for anomalous file creations in sensitive directories, and consider isolating ZimaOS instances until a fix is released.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However,…

more

when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1053.003 Cron Execution
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
T1543.002 Systemd Service Persistence
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.
T1037.004 RC Scripts Persistence
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path validation bypass enables unauthorized file/directory creation in /etc and /usr, directly facilitating Linux persistence mechanisms (systemd services, cron, rc scripts, local accounts) and privilege escalation via T1068; exploitation occurs through the public-facing API (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28442Same product: Zimaspace Zimaos
CVE-2025-64427Same product: Zimaspace Zimaos
CVE-2026-28798Same product: Zimaspace Zimaos
CVE-2026-21891Same product: Zimaspace Zimaos
CVE-2024-22341Shared CWE-73
CVE-2026-26359Shared CWE-73
CVE-2025-65473Shared CWE-73
CVE-2025-10134Shared CWE-73
CVE-2026-20931Shared CWE-73
CVE-2026-40370Shared CWE-73

Affected Assets

zimaspace
zimaos
1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the API's failure to validate target paths in crafted requests, preventing unauthorized file creation in sensitive directories like /etc or /usr.

prevent

Enforces logical access controls to system resources, mitigating the bypass of frontend restrictions by requiring the API to validate and restrict writes to critical paths.

prevent

Limits low-privileged users' access via the API to only necessary privileges, reducing the impact of path validation bypasses on sensitive system directories.

References