CVE-2025-58432 is a medium-severity vulnerability affecting IceWhaleTech's ZimaOS, an operating system forked from CasaOS designed for Zima devices and x86-64 systems with UEFI. The vulnerability exists in versions 1.4.1 and earlier, specifically in the /v2_1/files/file/uploadV2 endpoint. This endpoint allows any user with access to localhost to upload files. Critically, these file uploads are executed with root privileges, meaning that an attacker who can access the localhost interface can upload arbitrary files as the root user. This is a classic example of CWE-250 (Execution with Unnecessary Privileges) and CWE-269 (Improper Privilege Management). The vulnerability does not require authentication but does require local access (AV:L - Attack Vector: Local). The attack complexity is low (AC:L), and no privileges are required (PR:N). However, user interaction is required (UI:A), likely meaning some form of user action or access to the local system is necessary. The impact on confidentiality is none, but the impact on integrity is high, as arbitrary files can be uploaded as root, potentially allowing code execution or system compromise. Availability impact is none. No known exploits are reported in the wild as of the publication date (September 17, 2025). The CVSS 4.0 score is 5.2, reflecting a medium severity. The vulnerability arises from improper privilege management where the file upload functionality unnecessarily executes with root privileges, increasing the risk of privilege escalation or system compromise if an attacker gains local access.

For European organizations, this vulnerability poses a significant risk primarily to systems running ZimaOS, particularly in environments where local access to the system is possible by untrusted users or processes. Since the vulnerability allows file uploads as root without authentication, an attacker with local access could deploy malicious files, potentially leading to full system compromise, unauthorized code execution, or persistence mechanisms. This could impact critical infrastructure, enterprise servers, or IoT devices running ZimaOS, especially in sectors with high reliance on embedded or specialized operating systems. The risk is heightened in environments with shared access or weak physical security controls. Although remote exploitation is not directly possible, insider threats, compromised local accounts, or malware with local access could exploit this vulnerability. The lack of confidentiality impact reduces the risk of data leakage, but integrity and availability of systems could be severely affected if exploited. European organizations in manufacturing, telecommunications, or critical infrastructure using ZimaOS-based devices should be particularly vigilant.

1. Restrict local access: Limit access to the localhost interface to trusted users and processes only, employing strict access controls and network segmentation to prevent unauthorized local access. 2. Apply principle of least privilege: Modify or patch the file upload functionality to ensure it does not execute with root privileges unnecessarily. If a patch is not yet available, consider disabling or restricting the /v2_1/files/file/uploadV2 endpoint until a fix is released. 3. Monitor and audit: Implement monitoring of file upload activities and system logs to detect any unauthorized or suspicious uploads. 4. Use application whitelisting and integrity checking: Deploy tools that can detect unauthorized changes to critical system files or binaries. 5. Employ endpoint security solutions: Use antivirus and endpoint detection and response (EDR) tools capable of detecting exploitation attempts or malicious payloads uploaded via this vulnerability. 6. Educate users: Train local users on the risks of unauthorized file uploads and the importance of maintaining system security. 7. Follow vendor advisories: Stay updated with IceWhaleTech for patches or mitigations and apply them promptly once available.