CVE-2026-28442 is an external control of file name or path vulnerability (CWE-73) found in IceWhaleTech's ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the OS's application interface prevents users from deleting internal system files or folders, enforcing access controls at the UI level. However, the backend API responsible for handling delete requests fails to validate the 'path' parameter properly. By directly interacting with the API and manipulating this parameter, an attacker with low privileges can bypass UI restrictions and delete critical system files or directories. This improper input validation and broken access control on sensitive filesystem operations can lead to severe consequences, including system instability, denial of service, or potential escalation of privileges if critical components are removed. The vulnerability has a CVSS 3.1 score of 8.6 (high severity), reflecting its network attack vector, high impact on confidentiality, integrity, and availability, and the requirement for low privileges but no user interaction. Currently, no public patches or mitigations have been released by IceWhaleTech, increasing the urgency for affected users to implement compensating controls.

The vulnerability allows attackers with limited privileges to delete internal OS files and directories, which can severely disrupt system operations. This can lead to denial of service by removing critical system components, potentially causing the OS to become unstable or unbootable. The deletion of sensitive files may also expose confidential information or facilitate further attacks, such as privilege escalation or persistent compromise. Organizations relying on ZimaOS for critical infrastructure or embedded devices may face operational downtime, data loss, and increased risk of targeted attacks exploiting this vulnerability. The lack of a patch and the ability to exploit remotely over the network further exacerbate the threat, making it a significant risk for any deployment of ZimaOS 1.5.2-beta3.

Until an official patch is released, organizations should implement strict network segmentation and firewall rules to restrict access to the ZimaOS API endpoints, limiting them only to trusted administrators and systems. Employ strong authentication and authorization mechanisms to ensure only fully trusted users can interact with the API. Monitor API usage logs for suspicious delete requests or unusual path parameters. Consider deploying host-based intrusion detection systems (HIDS) to detect unauthorized file deletions or modifications in critical system directories. If feasible, downgrade to a previous unaffected version or isolate affected systems from production environments. Engage with IceWhaleTech for updates and apply patches immediately once available. Additionally, implement regular backups of critical system files and configurations to enable recovery in case of exploitation.