CVE-2026-28286 is an instance of CWE-73 (External Control of File Name or Path) affecting IceWhaleTech's ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the system's frontend UI enforces restrictions preventing users from creating files or directories in protected OS paths such as /etc and /usr. However, these restrictions are only implemented client-side and are not enforced by the backend API. By sending specially crafted API requests, an attacker with low-level privileges can bypass these frontend controls and create or modify files and directories in sensitive system locations. This lack of proper server-side validation allows unauthorized file system modifications that can compromise system integrity, confidentiality, and availability. The vulnerability has a CVSS 3.1 base score of 8.6, indicating high severity, with attack vector being network-based, requiring low privileges, no user interaction, and impacting confidentiality, integrity, and availability with scope change. No patches or fixes have been publicly released, and no active exploitation has been reported. The vulnerability highlights a critical design flaw where security enforcement relies solely on frontend controls without robust backend validation.

The vulnerability allows attackers to create or modify files in critical system directories, which can lead to privilege escalation, persistent backdoors, or disruption of system services. By placing malicious files in directories like /etc or /usr, attackers can alter system configurations, inject malicious code, or disable security mechanisms, severely impacting system confidentiality, integrity, and availability. This can result in full system compromise, data breaches, or denial of service. Organizations relying on ZimaOS for critical infrastructure or services face significant risks, especially if the API is exposed to untrusted networks or users. The scope of impact extends to any environment running the vulnerable version, including embedded devices and x86-64 systems. The lack of a patch increases the window of exposure, and the network-based attack vector means remote exploitation is feasible, raising the urgency for mitigation.

1. Immediately restrict API access to trusted and authenticated users only, employing strong authentication and network segmentation to limit exposure. 2. Implement strict server-side validation of all file path inputs in the API to enforce path restrictions regardless of client-side controls. 3. Monitor API usage logs for unusual file creation or modification requests targeting sensitive system directories. 4. Employ host-based intrusion detection systems (HIDS) to detect unauthorized changes in critical directories. 5. If possible, downgrade or avoid using version 1.5.2-beta3 until a patched version is released. 6. Apply principle of least privilege to all users and services interacting with the API to minimize potential damage. 7. Consider deploying application-layer firewalls or API gateways that can enforce path restrictions and validate requests before they reach the backend. 8. Regularly back up critical system files and configurations to enable recovery in case of compromise. 9. Engage with IceWhaleTech for updates on patches or official mitigations and apply them promptly once available.