A severe unauthenticated remote code execution vulnerability has been discovered in XSpeeder networking devices, potentially affecting more than 70,000 publicly accessible hosts worldwide.
Tracked as CVE-2025-54322, the flaw allows attackers to gain root-level access without any authentication credentials.
| CVE ID | Vulnerability Type | Severity | Affected Systems | Authentication Required |
|---|---|---|---|---|
| CVE-2025-54322 | Unauthenticated Root RCE | Critical | ~70,000+ XSpeeder SXZOS devices | No |
These systems are particularly prevalent in remote industrial and branch office environments globally.
According to Pwn.ai , tens of thousands of XSpeeder-based systems are exposed on the public internet, creating an expansive attack surface.
Technical Details
The vulnerability exists in the web authentication layer of SXZOS devices. Researchers autonomously identified a pre-authentication RCE entry point through firmware analysis and live exploitation.
The flaw chains together multiple superficial security gates including a time-synchronized nonce header, session cookie validation, and a naive payload scan that fail to protect the vulnerable endpoint.
The attack exploits an unsafe eval() function that processes base64-decoded user input from query parameters.
By bypassing simplistic middleware protections, attackers can inject arbitrary Python code and execute system commands with root privileges via a single HTTP GET request.
This vulnerability remains unpatched at publication time. Despite seven months of documented outreach attempts, XSpeeder has not responded to vulnerability disclosures.
Researchers chose this device as their first public disclosure specifically because of the vendor’s unresponsiveness.
Notably, this represents the first agent-discovered, remotely exploitable zero-day RCE published using autonomous penetration testing methods, underscoring the capability of AI-driven vulnerability research to identify critical flaws that traditional methods may miss.
Organizations running XSpeeder SXZOS devices should immediately isolate affected systems from untrusted networks and implement network-level access controls.
This vulnerability exemplifies the critical risks posed by unresponsive vendors in the industrial and branch networking space, where security patches often lag significantly behind threat discovery.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.