CVE-2026-28286 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting IceWhaleTech's ZimaOS, specifically version 1.5.2-beta3. ZimaOS is an operating system forked from CasaOS, designed for Zima devices and x86-64 systems with UEFI. The vulnerability stems from insufficient validation in the system's API that manages file and directory creation. While the frontend/UI enforces restrictions preventing users from creating files or folders in sensitive internal OS paths, these controls are circumvented when interacting directly with the API. Crafted API requests can specify paths such as /etc, /usr, or other critical system directories, allowing unauthorized creation of files or directories in locations that should be protected from write access by normal users. This lack of proper path validation leads to a critical security flaw where attackers with low privileges can escalate their impact by modifying or injecting files into system directories, potentially leading to privilege escalation, system compromise, or denial of service. The vulnerability has a CVSS 3.1 base score of 8.6, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, high attack complexity, low privileges required, no user interaction, and scope change. No patches or fixes have been publicly released, and no known exploits have been observed in the wild as of the publication date.

The vulnerability allows unauthorized users to create or modify files and directories within critical system paths, which can have severe consequences. Attackers could inject malicious scripts or binaries into system directories, leading to privilege escalation or persistent backdoors. System integrity could be compromised by overwriting configuration files or binaries, potentially causing system instability or denial of service. Confidential information stored in protected directories could be exposed or altered. The ability to write to sensitive paths without proper authorization undermines the security model of the OS and can facilitate further attacks, including lateral movement within networks. Organizations relying on ZimaOS in production environments face risks of system compromise, data breaches, and operational disruptions. The absence of a patch increases the window of exposure, especially if API endpoints are accessible externally or to untrusted users.

1. Immediately restrict API access to trusted and authenticated users only, ideally limiting it to internal networks or secure VPNs. 2. Implement strict input validation and sanitization on the API server side to enforce path restrictions, ensuring that file and directory creation requests cannot target sensitive system directories. 3. Employ application-layer firewalls or API gateways to monitor and block suspicious requests attempting to access or modify protected paths. 4. Conduct thorough code reviews and security testing focusing on API endpoints handling file operations to identify and remediate similar flaws. 5. Use operating system-level mandatory access controls (e.g., SELinux, AppArmor) to enforce write restrictions on critical directories, adding a defense-in-depth layer. 6. Monitor system logs and file integrity to detect unauthorized changes in sensitive directories. 7. Engage with IceWhaleTech for updates or patches and apply them promptly once available. 8. Consider isolating ZimaOS instances or running them with minimal privileges until the vulnerability is resolved.