CVE-2025-54322
Unknown Unknown - Not Provided
Remote Code Execution in Xspeeder SXZOS vLogin.py via Parameter Injection

Publication date: 2025-12-27

Last updated on: 2025-12-27

Assigner: MITRE

Description
Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-27
EPSS Evaluated
2026-06-14
NVD
CVE-2025-54322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xspeeder sxzos *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Xspeeder SXZOS allows an attacker to execute arbitrary code with root privileges remotely by sending base64-encoded Python code through the chkid parameter to the vLogin.py script. The title and oIP parameters are also involved in the exploit.

Impact Analysis

An attacker exploiting this vulnerability can gain full control over the affected system with root privileges, potentially leading to complete system compromise, data theft, service disruption, or further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the vulnerable endpoint that include exactly three query parameters: title, oIp, and chkid. Detection involves checking for requests with the User-Agent header containing "SXZ/2.3", the presence of the X-SXZ-R header matching the current minute modulo 7, and a session cookie named sessionid. You can use network monitoring tools like tcpdump or Wireshark to filter such requests. For example, a tcpdump command to capture suspicious HTTP GET requests might be: tcpdump -i <interface> -A 'tcp port 80 and (((tcp[((tcp[12] & 0xf0) >> 2):4]) = 0x47455420))' and then filter for requests containing the parameters title, oIp, and chkid. Additionally, inspecting web server logs for GET requests with these parameters and the specified headers can help detect exploitation attempts. Since the chkid parameter is base64-encoded Python code evaluated unsafely, any unusual or suspicious base64 strings in chkid should be flagged. [1]

Mitigation Strategies

Immediate mitigation steps include: 1. Restricting access to the vulnerable web interface by network segmentation or firewall rules to prevent unauthorized external access. 2. Blocking or filtering HTTP requests that contain the three parameters title, oIp, and chkid together, especially those with User-Agent strings containing "SXZ/2.3". 3. Monitoring and invalidating suspicious session cookies and headers like X-SXZ-R. 4. Applying any available patches or updates from the vendor once released. 5. If patching is not possible, consider disabling or restricting the vulnerable service or endpoint (vLogin.py) to prevent exploitation. 6. Use intrusion detection/prevention systems (IDS/IPS) to detect and block exploit attempts based on the known attack pattern. Since the vulnerability allows pre-authentication root remote code execution, immediate network-level controls and monitoring are critical to reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart