Remote Code Execution Vulnerability in Xspeeder SXZOS by Xspeeder
CVE-2025-54322

10CRITICAL

Key Information:

Vendor: Xspeeder
Status: Sxzos
Vendor: CVE Published:; 27 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-54322?

The Xspeeder SXZOS platform has a security flaw that allows an attacker to execute arbitrary code remotely. The vulnerability arises from the improper handling of the chkid parameter in the vLogin.py script, which can be exploited through base64-encoded Python code. Additionally, the parameters 'title' and 'oIP' are part of the attack vector, potentially affecting a significant number of hosts. This issue emphasizes the need for immediate action to secure affected systems and protect sensitive data from unauthorized access.

Affected Version(s)

SXZOS 0 <= 2025-12-26

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-54322
Created by Sachinart

References

https://www.xspeeder.com

https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticate...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Dec 27, 2025
👾
Exploit known to exist
Dec 27, 2025
Vulnerability published
Dec 27, 2025
Vulnerability Reserved
Jul 20, 2025

JSON