CVE-2025-54322

CriticalPublic PoC

Published: 27 December 2025

Published

27 December 2025

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0031 54.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs like the base64-encoded chkid parameter to prevent improper neutralization leading to remote code execution.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the specific flaw in vLogin.py that enables unauthenticated root RCE.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Provides vulnerability scanning to identify code injection flaws like CWE-94/95 in the affected Xspeeder SXZOS application.

Security SummaryAI

CVE-2025-54322 is a critical root remote code execution vulnerability affecting Xspeeder SXZOS through version 2025-12-26. The flaw exists in the vLogin.py script, where attackers can supply base64-encoded Python code via the chkid parameter, with the title and oIP parameters also utilized in the exploitation process. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-95 (improper neutralization of directives in dynamically evaluated code) and CWE-94 (improper control of generation of code).

The vulnerability enables unauthenticated remote exploitation over the network with low complexity and no user interaction required. Any remote attacker can trigger it to achieve root-level code execution on the target system, resulting in complete compromise with high impacts to confidentiality, integrity, and availability, including potential scope expansion.

Advisories and further details, including potential patches or mitigations, are documented at https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts and https://www.xspeeder.com.

This zero-day vulnerability reportedly affects approximately 70,000 hosts worldwide.

Details

CWE(s): CWE-95 CWE-94

Affected Products

xspeeder

sxzos

≤ 2025-12-26

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via base64-encoded Python code injection in a public-facing web application (vLogin.py), directly mapping to Exploit Public-Facing Application (T1190) and Python interpreter abuse (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts
Exploit, Third Party Advisory · cve@mitre.org
https://www.xspeeder.com
Product · cve@mitre.org
https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0