ZimaOS CVE-2026-28798 Critical Flaw Allows Unauthenticated Remote Code Execution

CVE-2026-28798 is a critical remote code execution vulnerability (CVSS 9.0) in ZimaOS, an operating system for Zima devices and x86-64 systems with UEFI that is a fork of the popular CasaOS home server platform. Prior to the patched version, an unauthenticated attacker can exploit this vulnerability to execute arbitrary code on the ZimaOS system, potentially gaining full control of the device and all data stored on it. ZimaOS is used as a personal cloud storage, media server, and home automation platform, meaning successful exploitation could expose personal files, photos, documents, and home network access. The vulnerability was published to the NVD on April 4, 2026. Home server and NAS platforms have become increasingly targeted by threat actors seeking to access personal data or use compromised devices as part of botnets. ZimaOS users should immediately update to the latest patched version, ensure their devices are not directly exposed to the internet without a firewall, enable authentication on all services, and regularly back up important data to offline storage. Users should also check for signs of unauthorized access or unusual network activity.