Cyber Resilience

CVE-2025-54322

CriticalPublic PoCRCE

Published: 27 December 2025

Published
27 December 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1399 96.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-54322 is a critical-severity Eval Injection (CWE-95) vulnerability in Xspeeder Sxzos. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-54322 is a critical root remote code execution vulnerability affecting Xspeeder SXZOS through version 2025-12-26. The flaw exists in the vLogin.py script, where attackers can supply base64-encoded Python code via the chkid parameter, with the title and oIP parameters also utilized in the exploitation process. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-95 (improper neutralization of directives in dynamically evaluated code) and CWE-94 (improper control of generation of code).

The vulnerability enables unauthenticated remote exploitation over the network with low complexity and no user interaction required. Any remote attacker can trigger it to achieve root-level code execution on the target system, resulting in complete compromise with high impacts to confidentiality, integrity, and availability, including potential scope expansion.

Advisories and further details, including potential patches or mitigations, are documented at https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts and https://www.xspeeder.com.

This zero-day vulnerability reportedly affects approximately 70,000 hosts worldwide.

EU & UK References

Vulnerability details

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

The vulnerability allows unauthenticated remote code execution via base64-encoded Python code injection in a public-facing web application (vLogin.py), directly mapping to Exploit Public-Facing Application (T1190) and Python interpreter abuse (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28505Shared CWE-94, CWE-95
CVE-2026-25481Shared CWE-94
CVE-2025-0868Shared CWE-95
CVE-2025-24893Shared CWE-94, CWE-95
CVE-2026-35002Shared CWE-95
CVE-2025-55728Shared CWE-94, CWE-95
CVE-2025-53890Shared CWE-94
CVE-2025-54550Shared CWE-94
CVE-2026-25153Shared CWE-94
CVE-2026-44334Shared CWE-94

Affected Assets

xspeeder
sxzos
≤ 2025-12-26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs like the base64-encoded chkid parameter to prevent improper neutralization leading to remote code execution.

prevent

Mandates timely identification, reporting, and patching of the specific flaw in vLogin.py that enables unauthenticated root RCE.

detect

Provides vulnerability scanning to identify code injection flaws like CWE-94/95 in the affected Xspeeder SXZOS application.

References