CVE-2025-54322

Name of the Vulnerable Software and Affected Versions XSpeeder SXZOS through 2025-12-26

Description XSpeeder SXZOS through 2025-12-26 contains a critical flaw allowing unauthenticated attackers to achieve root remote code execution. The issue stems from the unsafe evaluation of base64-decoded input received through the

chkid

parameter of the ''https://t.co/v9YXzNh19c'' endpoint. The

title

and

oIP

parameters are also implicated in the vulnerability. Approximately 70,000 internet-exposed devices are currently affected, including routers, SD-WAN appliances, and smart TV controllers, primarily in industrial and branch environments. The vulnerability was discovered by an AI agent and has not been addressed by the vendor after seven months of disclosure attempts. Exploitation requires only a single HTTP request and does not require authentication. The vulnerable component uses

eval()

on base64-decoded input, enabling command execution.

Recommendations Versions prior to 2025-12-26 should be updated when a patch becomes available. As a temporary workaround, restrict access to the ''https://t.co/v9YXzNh19c'' endpoint. Avoid using the

chkid

,

title

, and

oIP

parameters in the affected endpoint until the issue is resolved.