CVE-2025-54322CRITICAL 9.8EPSS p96.1%

CVE-2025-54322CVE-2025-54322

Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS13.99% probability of exploitation · percentile 96.1% · 2026-06-18T12:00:27Z
Published2025-12-27
Last modified2026-01-09

Underlying weaknesses· 2

CWE-95CWE-94

References

  1. https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts
  2. https://www.xspeeder.com
  3. https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts

2

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live
WeaknessImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')cwe-950%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25109
CVE
CVE-2026-20764
CVE
CVE-2025-6542
CVE
CVE-2026-25111
CVE
CVE-2026-25105
CVE
CVE-2026-25196
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.