Imagine a master key that opens the front door to 70,000 businesses, but the locksmith refuses to fix the vulnerability. This is exactly what’s happening with a security vulnerability found in XSpeeder networking gear. The issue was caught by the research firm pwn.ai, which used its proprietary AI tool, also named pwn.ai, to find the vulnerability before hackers could exploit it.
The vulnerability, tracked as CVE-2025-54322, earned a perfect 10.0 (Critical) score, the highest possible threat rating, because it lets outsiders take total “root” control of a device without needing a password. Root access, as we know it, is the ultimate prize for hackers; it gives them the power to watch traffic, steal data, or shut down systems entirely.
How the AI Found the Hole
XSpeeder is a Chinese vendor known for “edge” devices like routers, SD-WAN appliances, and smart TV controllers. Their core software, SXZOS, is used heavily in factories and remote offices.
To find the vulnerability, the pwn.ai tool tasked its “swarm” of AI agents to emulate these devices and hunt for weaknesses. These agents use a custom architecture built on decades of hacking experience to copy a device’s behaviour and scan it for holes.
According to the technical research, which was shared with Hackread.com, the AI targeted a file called vLogin.py. By stuffing malicious code into a data field called the chkid parameter, the tool figured out how to trick the device into running its own commands. Researchers noted this is “the first agent-found, remotely exploitable 0-day” ever made public.
Seven Months of Silence
While we often hear about AI being used for malicious purposes, like November 2025’s report from Anthropic about a “highly sophisticated AI-led espionage campaign” by a Chinese state-sponsored group, showing how AI can be a powerful tool for defence, too.
However, for pwn.ai, finding the vulnerability was only half the battle. The team spent over 7 months trying to get XSpeeder to fix the issue, but unfortunately, “no patch or advisory has been issued.”
“We chose it as our first disclosure because, unlike other vendors, we have been unable to get any response from XSpeeder despite more than seven months of outreach. As a result, at the time of publication, this unfortunately remains to be a zero-day vulnerability,” researchers wrote.
It is worth noting that a hacker doesn’t need to be a genius to exploit this; “all the attacker needs to know is the IP of the target,” the blog post revealed.
With no fix in sight and 70,000 systems currently exposed online, the risk to industrial and branch environments is massive. Pwn.ai’s investigation shows that its tool has already found nearly 20 other major vulnerabilities, making it clear that the way we find and fight security vulnerabilities has changed forever.
Vendors Ignoring Vulnerability Disclosures and Alerts
While some vendors respond quickly and responsibly to vulnerability reports, others ignore them, downplay the risks, or even lash out at the researchers who report them. A recent example involves Eurostar, the European train service giant, which accused researchers from Pen Test Partners of blackmail after they reported serious flaws in its AI-powered chatbot.
Incidents like this aren’t rare. They’ve happened around the world, which may be why countries like Portugal have started updating their cybercrime laws to protect ethical hackers and researchers from prosecution simply for identifying and reporting security issues