ZimaOS is vulnerable to unauthenticated access to internal services via a proxy endpoint when the system is reachable through a Cloudflare Tunnel.

The /v1/sys/proxy endpoint in ZimaOS can be abused by unauthenticated attackers to proxy requests to internal services running on localhost. This occurs specifically when the OS is reachable from the internet via a Cloudflare Tunnel, bypassing intended local-only access restrictions.

This vulnerability allows attackers to interact with sensitive internal-only management services and local APIs without authentication. The CVSS score of 9.0 indicates a critical risk of data exposure and potential system takeover by bypassing the external security perimeter provided by the tunnel.

Immediate Action: Update ZimaOS to version 1.5.3 or later to patch the vulnerable proxy endpoint logic.

Proactive Monitoring: Review Cloudflare Tunnel logs and ZimaOS web interface logs for unusual requests directed at the /v1/sys/proxy path.

Compensating Controls: Disable the proxy endpoint if it is not required for business operations, or implement strict IP-based access controls at the Cloudflare Tunnel layer.

Public Exploit Available: false

The ability to reach internal localhost services from the public internet is a severe security bypass. Users of ZimaOS must update to version 1.5.3 immediately. We also recommend auditing all internal services to ensure they require independent authentication, providing defense-in-depth even if a proxy bypass occurs.