A critical zero-day vulnerability has been discovered in XSpeeder’s SXZOS firmware, affecting tens of thousands of SD-WAN appliances, edge routers, and smart TV controllers deployed globally.
The vulnerability, designated PWN-25-01, enables unauthenticated remote code execution (RCE) with root-level privileges through a single HTTP GET request.
XSpeeder, a Chinese networking vendor specializing in edge infrastructure, manufactures SXZOS-based devices that are widely deployed in remote industrial and branch environments.
Security researchers at pwn.ai identified the flaw through autonomous firmware analysis and multi-agent exploitation techniques. This is the first agent-discovered, remotely exploitable zero-day RCE publicly disclosed.
The vulnerability exists within XSpeeder’s Django-based web application framework.
| Attribute | Details |
|---|---|
| CVE/ID | CVE-2025-54322 |
| Vendor | XSpeeder (SXZOS Firmware) |
| Vulnerability Type | Pre-authentication Remote Code Execution |
| CVSS Severity | Critical (9.8) |
| Affected Devices | SD-WAN Appliances, Edge Routers, Smart TV Controllers |
| Exposed Hosts | 70,000+ globally |
| Authentication Required | No |
Researchers discovered a critical weakness in the /webInfos/ endpoint that processes three query parameters without proper input validation.
The vulnerable code path uses eval () on base64-decoded user input, bypassing superficial middleware security layers designed to prevent malicious access.
The exploitation chain requires bypassing three defensive mechanisms: a time-synchronized nonce header (X-SXZ-R), a session cookie warm-up requirement, and a naive substring filter that operates on pre-decoded data.
However, these defenses operate at the middleware and Nginx layers, leaving the vulnerable view accessible when appropriately crafted requests satisfy these minimal requirements.
Attack Vector and Scope
Attackers can achieve complete command execution by sending a specially crafted HTTP GET request that embeds base64-encoded malicious Python code in the chkid parameter.
No authentication credentials are required, and the vulnerability affects all publicly accessible SXZOS devices on the internet.
According to Fofa and advanced fingerprinting services, over 70,000 SXZOS-based systems remain exposed worldwide.
These devices control critical infrastructure in industrial and branch office environments, making this vulnerability a widespread risk surface for enterprises.
Despite more than seven months of coordinated disclosure attempts, XSpeeder has not responded to pwn.ai security researchers.
This unresponsiveness triggers disclosure in accordance with responsible vulnerability management protocols, leaving organizations without vendor-provided patches at the time of publication.
Administrators managing XSpeeder equipment should immediately implement network segmentation, restrict access to device management interfaces, and monitor for exploitation attempts.
Organizations are strongly advised to consider alternative networking solutions until vendor patches become available.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
