CVE-2025-54322

CVSS v3.1

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XSpeeder SXZOS versions through 2025-12-26

Description XSpeeder SXZOS through 2025-12-26 contains a critical remote code execution flaw. An unauthenticated attacker can achieve root access by sending a crafted HTTP request with base64-encoded Python code in the

chkid

parameter to the

/webInfos/

API endpoint. The

title

and

oIP

parameters are also implicated in the vulnerability. Approximately 70,000 internet-exposed devices are affected. The vulnerability allows for full device takeover, potentially enabling traffic interception and lateral movement within a network. The flaw stems from the use of

eval()

on base64-decoded input, allowing for arbitrary command execution.

Recommendations Versions prior to 2025-12-26 should be updated when a patch becomes available. As a temporary workaround, restrict access to the

/webInfos/

API endpoint. Avoid using the

chkid

title

, and

oIP

parameters in the affected API endpoint until the issue is resolved.

Exploit

Fix

RCE

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-95

Related Identifiers

CVE-2025-54322

Affected Products

Xspeeder Sxzos

CVE-2025-54322

Weakness Enumeration

Related Identifiers

Affected Products

References · 31