A crucial zero-day vulnerability has been found in XSpeeder’s SXZOS firmware, affecting tens of 1000’s of SD-WAN home equipment, edge routers, and sensible TV controllers deployed globally.
The vulnerability, designated PWN-25-01, allows unauthenticated distant code execution (RCE) with root-level privileges by way of a single HTTP GET request.
XSpeeder, a Chinese language networking vendor specializing in edge infrastructure, manufactures SXZOS-based gadgets which can be extensively deployed in distant industrial and department environments.
Safety researchers at pwn.ai recognized the flaw by way of autonomous firmware evaluation and multi-agent exploitation methods. That is the primary agent-discovered, remotely exploitable zero-day RCE publicly disclosed.
The vulnerability exists inside XSpeeder’s Django-based internet software framework.
AttributeDetailsCVE/IDCVE-2025-54322VendorXSpeeder (SXZOS Firmware)Vulnerability TypePre-authentication Distant Code ExecutionCVSS SeverityCritical (9.8)Affected DevicesSD-WAN Home equipment, Edge Routers, Good TV ControllersExposed Hosts70,000+ globallyAuthentication RequiredNo
Researchers found a crucial weak point within the /webInfos/ endpoint that processes three question parameters with out correct enter validation.
The weak code path makes use of eval () on base64-decoded consumer enter, bypassing superficial middleware safety layers designed to stop malicious entry.
The exploitation chain requires bypassing three defensive mechanisms: a time-synchronized nonce header (X-SXZ-R), a session cookie warm-up requirement, and a naive substring filter that operates on pre-decoded information.
Nevertheless, these defenses function on the middleware and Nginx layers, leaving the weak view accessible when appropriately crafted requests fulfill these minimal necessities.
Assault Vector and Scope
Attackers can obtain full command execution by sending a specifically crafted HTTP GET request that embeds base64-encoded malicious Python code within the chkid parameter.
No authentication credentials are required, and the vulnerability impacts all publicly accessible SXZOS gadgets on the web.
In response to Fofa and superior fingerprinting companies, over 70,000 SXZOS-based programs stay uncovered worldwide.
These gadgets management crucial infrastructure in industrial and department workplace environments, making this vulnerability a widespread threat floor for enterprises.
Regardless of greater than seven months of coordinated disclosure makes an attempt, XSpeeder has not responded to pwn.ai safety researchers.
This unresponsiveness triggers disclosure in accordance with accountable vulnerability administration protocols, leaving organizations with out vendor-provided patches on the time of publication.
Directors managing XSpeeder gear ought to instantly implement community segmentation, prohibit entry to gadget administration interfaces, and monitor for exploitation makes an attempt.
Organizations are strongly suggested to contemplate different networking options till vendor patches change into obtainable.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
