CVE-2025-34171 is a missing authorization vulnerability (CWE-862) in IceWhale Tech's CasaOS versions up to 0.4.15. The flaw arises because several REST API endpoints are accessible without authentication, exposing sensitive internal data. Specifically, the /v1/users/image endpoint accepts a user-controlled path parameter that allows arbitrary file read access under the directory /var/lib/casaos/1/. This can disclose installed applications and configuration files, which may contain sensitive operational details. The /v1/sys/debug endpoint reveals comprehensive system debug information including host operating system details, kernel version, hardware specifications, and storage configuration. Furthermore, the endpoints return distinct error messages that enable attackers to perform file existence enumeration on arbitrary paths in the underlying host filesystem. This combination of information disclosure vectors can be leveraged by attackers to perform detailed reconnaissance on the target system, identify potential weaknesses, and plan subsequent targeted attacks. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited remotely over the network. Although no public exploits are known, the vulnerability’s characteristics make it a significant risk for information leakage. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and low impact on confidentiality, with no impact on integrity or availability.

For European organizations deploying CasaOS, this vulnerability poses a risk of sensitive information leakage that could facilitate further attacks. Disclosure of configuration files and installed applications can reveal system architecture and software versions, aiding attackers in identifying exploitable components. The debug information leak provides detailed host environment data, which can be used to tailor exploits or pivot within the network. This is particularly concerning for organizations using CasaOS in critical infrastructure, small and medium enterprises, or home office environments where CasaOS may manage storage or IoT devices. The ability to enumerate file existence can also expose sensitive files or credentials stored on the host. While the vulnerability does not directly allow code execution or data modification, the reconnaissance advantage it grants can lead to more severe compromises. Given the growing adoption of CasaOS in Europe, especially in Germany, France, and the Netherlands where smart home and small business NAS solutions are popular, the impact could be significant if left unmitigated.

Organizations should immediately upgrade CasaOS to a version beyond 0.4.15 once patches become available that enforce proper authorization on these endpoints. Until patches are released, network-level mitigations should be applied: restrict access to CasaOS management interfaces to trusted internal networks or VPNs, and implement firewall rules blocking external access to the vulnerable API endpoints. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting /v1/users/image and /v1/sys/debug endpoints. Conduct thorough audits of CasaOS deployments to identify exposed instances and monitor logs for unusual access patterns or repeated file enumeration attempts. Additionally, consider isolating CasaOS hosts from critical network segments to limit lateral movement if compromise occurs. Security teams should also educate users on the risks of exposing CasaOS interfaces publicly and enforce strong network segmentation. Finally, maintain up-to-date backups and incident response plans in case follow-up attacks succeed.