The AI-Found Zero-Day: Critical CVE-2025-54322 Leaves 70,000 XSpeeder Devices Exposed

A critical vulnerability has been discovered in XSpeeder devices that could allow unauthenticated remote execution of arbitrary code. XSpeeder is a Chinese manufacturer of networking equipment for enterprise environments, with its products deployed in remote branch offices and industrial infrastructure and actively used across multiple countries.

According to the technical platform Pwn.ai, the flaw affects more than 70,000 devices that are directly exposed to the internet. The equipment is particularly prevalent in the infrastructure of remote филиals and industrial facilities.

The vulnerability has been assigned the identifier CVE-2025-54322. It enables attackers to obtain superuser privileges without supplying any credentials. The root cause lies in a flaw within the web-based authentication layer of devices running XSpeeder’s proprietary operating system, SXZOS. Firmware analysis revealed that a sequence of rudimentary protective mechanisms can be bypassed, granting access to a critical endpoint.

A central role in the attack is played by the eval() function, which executes data decoded from base64 and passed through request parameters. This input-validation approach is considered extremely insecure. Investigators found that weak defensive measures—including cookie session checks, simplistic payload scanning, and time-synchronized headers—are insufficient to prevent exploitation.

With nothing more than a single GET request, an attacker can inject arbitrary Python code and execute system commands with root privileges. The situation is further aggravated by the fact that seven months have passed since the vulnerability was identified, yet the vendor has failed to respond to reports and has not released any patch to address the issue.

Researchers note that they chose to disclose information about this device first precisely because of XSpeeder’s prolonged lack of response. They also emphasize the broader significance of the incident: this is the first known case in which a remote code execution vulnerability was identified using an autonomous automated testing tool. Such an approach makes it possible to uncover critical flaws that might otherwise remain undetected by traditional methods.

Organizations using XSpeeder devices running SXZOS are strongly advised to immediately restrict access to these systems, isolate them from external networks, and implement routing-level traffic filtering. The incident starkly illustrates how dangerous a manufacturer’s failure to engage can be when severe vulnerabilities exist within enterprise networking equipment.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy