Home

Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

PUBLISHED Reserved 2025-07-20 | Published 2025-12-27 | Updated 2025-12-29 | Assigner mitre




CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Product status

Default status
unaffected

Any version
affected

References

pwn.ai/...ay-unauthenticated-root-rce-affecting-70-000-hosts exploit

www.xspeeder.com

pwn.ai/...ay-unauthenticated-root-rce-affecting-70-000-hosts

cve.org (CVE-2025-54322)

nvd.nist.gov (CVE-2025-54322)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.