CVE-2025-54322

CriticalPublic PoCRCE

Published: 27 December 2025

Published

27 December 2025

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0031 54.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54322 is a critical-severity Eval Injection (CWE-95) vulnerability in Xspeeder Sxzos. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs like the base64-encoded chkid parameter to prevent improper neutralization leading to remote code execution.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the specific flaw in vLogin.py that enables unauthenticated root RCE.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Provides vulnerability scanning to identify code injection flaws like CWE-94/95 in the affected Xspeeder SXZOS application.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via base64-encoded Python code injection in a public-facing web application (vLogin.py), directly mapping to Exploit Public-Facing Application (T1190) and Python interpreter abuse (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Deeper analysisAI

CVE-2025-54322 is a critical root remote code execution vulnerability affecting Xspeeder SXZOS through version 2025-12-26. The flaw exists in the vLogin.py script, where attackers can supply base64-encoded Python code via the chkid parameter, with the title and oIP parameters also utilized in the exploitation process. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-95 (improper neutralization of directives in dynamically evaluated code) and CWE-94 (improper control of generation of code).

The vulnerability enables unauthenticated remote exploitation over the network with low complexity and no user interaction required. Any remote attacker can trigger it to achieve root-level code execution on the target system, resulting in complete compromise with high impacts to confidentiality, integrity, and availability, including potential scope expansion.

Advisories and further details, including potential patches or mitigations, are documented at https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts and https://www.xspeeder.com.

This zero-day vulnerability reportedly affects approximately 70,000 hosts worldwide.