CVE-2025-54322
Remote Code Execution in Xspeeder SXZOS vLogin.py via Parameter Injection
Publication date: 2025-12-27
Last updated on: 2025-12-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xspeeder | sxzos | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Xspeeder SXZOS allows an attacker to execute arbitrary code with root privileges remotely by sending base64-encoded Python code through the chkid parameter to the vLogin.py script. The title and oIP parameters are also involved in the exploit.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain full control over the affected system with root privileges, potentially leading to complete system compromise, data theft, service disruption, or further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP GET requests to the vulnerable endpoint that include exactly three query parameters: title, oIp, and chkid. Detection involves checking for requests with the User-Agent header containing "SXZ/2.3", the presence of the X-SXZ-R header matching the current minute modulo 7, and a session cookie named sessionid. You can use network monitoring tools like tcpdump or Wireshark to filter such requests. For example, a tcpdump command to capture suspicious HTTP GET requests might be: tcpdump -i <interface> -A 'tcp port 80 and (((tcp[((tcp[12] & 0xf0) >> 2):4]) = 0x47455420))' and then filter for requests containing the parameters title, oIp, and chkid. Additionally, inspecting web server logs for GET requests with these parameters and the specified headers can help detect exploitation attempts. Since the chkid parameter is base64-encoded Python code evaluated unsafely, any unusual or suspicious base64 strings in chkid should be flagged. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restricting access to the vulnerable web interface by network segmentation or firewall rules to prevent unauthorized external access. 2. Blocking or filtering HTTP requests that contain the three parameters title, oIp, and chkid together, especially those with User-Agent strings containing "SXZ/2.3". 3. Monitoring and invalidating suspicious session cookies and headers like X-SXZ-R. 4. Applying any available patches or updates from the vendor once released. 5. If patching is not possible, consider disabling or restricting the vulnerable service or endpoint (vLogin.py) to prevent exploitation. 6. Use intrusion detection/prevention systems (IDS/IPS) to detect and block exploit attempts based on the known attack pattern. Since the vulnerability allows pre-authentication root remote code execution, immediate network-level controls and monitoring are critical to reduce risk. [1]