Unrated severityNVD Advisory· Published Oct 24, 2024· Updated Nov 5, 2025

ZimaOS Unauthenticated API Discloses Usernames

CVE-2024-48932

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http://<Server-ip>/v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available.

Affected products

Icewhaletech/Zimaosv5
Range: < 1.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-57r9-43pc-gcp2mitrex_refsource_MISC
github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-9mrr-px2c-w42cmitrex_refsource_CONFIRM
youtu.be/wJFq8cuyFm4mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000