Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
The attacker sends a network request to the vLogin.py endpoint, passing base64-encoded Python code in the chkid parameter. The application decodes and executes the passed code without authentication and without proper input validation (CWE-95: eval injection, CWE-94: code injection). The title and oIP parameters are also utilized in this process. Execution occurs in the context of the root user, giving the attacker full control over the system.
The attacker gains full, unauthenticated remote code execution with root privileges, meaning complete takeover of the device — ability to read and modify data, install malware, and pivot to other network elements.
Apply patches available from the vendor according to the references. Due to the lack of authentication required by this vulnerability, immediately restrict network access to the vLogin.py endpoint using firewall or ACL until the official update is deployed.
Xspeeder SXZOS in all versions up to and including 2025-12-26.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HXspeeder Sxzos
OSXspeeder≤ 2025-12-26