CRITICAL🇵🇱 Wersja polska

CVE-2025-54322

CVSS 10.0v3.1pub. 2025-12-27upd. 2026-01-09

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

🤖 AI Analysis
How it works

The attacker sends a network request to the vLogin.py endpoint, passing base64-encoded Python code in the chkid parameter. The application decodes and executes the passed code without authentication and without proper input validation (CWE-95: eval injection, CWE-94: code injection). The title and oIP parameters are also utilized in this process. Execution occurs in the context of the root user, giving the attacker full control over the system.

Impact

The attacker gains full, unauthenticated remote code execution with root privileges, meaning complete takeover of the device — ability to read and modify data, install malware, and pivot to other network elements.

Mitigation & patch

Apply patches available from the vendor according to the references. Due to the lack of authentication required by this vulnerability, immediately restrict network access to the vLogin.py endpoint using firewall or ACL until the official update is deployed.

Who is affected

Xspeeder SXZOS in all versions up to and including 2025-12-26.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Xspeeder Sxzos

    OS
    Xspeeder
    ≤ 2025-12-26
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References