[go: up one dir, main page]
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Proof of concept
CVE-2025-54322

EUVD-2025-205476

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

Published: Dec 27, 2025 / Updated: 2mo ago

010
CVSS 10EPSS 0.38%Critical
CVE info copied to clipboard

Summary

Xspeeder SXZOS through version 2025-12-26 contains an eval injection vulnerability in vLogin.py that allows unauthenticated remote code execution. The vulnerability exists in the chkid parameter, which accepts base64-encoded Python code that is improperly executed. The title and oIP parameters are also involved in the attack vector.

Impact

Unauthenticated network attackers can exploit this vulnerability to achieve root-level remote code execution with complete system compromise. Attackers can execute arbitrary Python code without authentication or user interaction, resulting in total confidentiality, integrity, and availability breaches. Active exploitation has been reported affecting approximately 70,000 hosts worldwide.

Exploitation

Multiple proof-of-concept exploits are available on pwn.ai, github.com. There is no evidence of proof of exploitation at the moment.

Patch

Versions released after 2025-12-26 contain patches for this vulnerability. Organizations should upgrade to patched versions immediately.

Mitigation

Immediately upgrade Xspeeder SXZOS systems to a version released after 2025-12-26. Implement network segmentation to restrict access to the vLogin.py endpoint. Monitor for suspicious requests to vLogin.py containing base64-encoded payloads in the chkid parameter. Implement Web Application Firewall (WAF) rules to block requests with suspicious base64 encoding patterns to vLogin.py. Given the active exploitation affecting 70,000 hosts and the trivial attack complexity, this should be treated as a critical priority for immediate patching.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2025-54322

Dec 27, 2025 at 2:15 PM
CVSS

A CVSS base score of 10 has been assigned.

Dec 27, 2025 at 2:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2025-54322. See article

Dec 27, 2025 at 2:20 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS as HIGH based on the CVE details, attack complexity, and exploit information. Learn more

Dec 27, 2025 at 2:20 PM
Trending

This CVE started to trend in security discussions

Dec 27, 2025 at 4:34 PM
EPSS

FIRST assigned an EPSS Score of 0.29% (Percentile: 51.8%)

Dec 28, 2025 at 11:01 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2025-54322).

Dec 29, 2025 at 6:00 AM
Threat Intelligence Report

CVE-2025-54322 is a critical vulnerability with a CVSS score of 10.0, allowing unauthenticated remote attackers to execute arbitrary Python code with root privileges on XSpeeder SXZOS firmware via a malformed HTTP request, affecting over 70,000 corporate gateways. The vulnerability stems from a lack of input validation in the vLogin.py script, and exploitation is categorized as low complexity, requiring no user interaction or prior credentials. There is no information provided regarding proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors or technology. See article

Dec 31, 2025 at 5:17 AM
Trending

This CVE stopped trending in security discussions

Jan 1, 2026 at 12:21 PM
Static CVE Timeline Graph

Affected Systems

Xspeeder/sxzos
+MMM more

Exploits

https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts
+MMM more

Attack Patterns

CAPEC-35: Leverage Executable Code in Non-Executable Files
+MMM more

Vendor Advisory

CVE-2025-54322

Red Hat CVE Database / 2mo
CVE Id: CVE-2025-54322 Release Date: 2025-12-29 Update Date: 2025-12-29 Description Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used. Statement Red Hat Product Security has determined that this vulnerability does not affect any currently supported Red Hat product. This assessment may evolve based on further analysis and discovery. For more information about this vulnerability and the products it affects, please see the linked references. Affected Packages and Issued Red Hat Security Errata

References

Weekly Intelligence Report - 09 January 2026

CYFIRMA Press Releases / 54d
Rather than relying on traditional infection techniques, Kimwolf spreads by exploiting weaknesses in residential proxy networks, allowing attackers to gain access to devices that are unknowingly exposed through poorly secured proxy services. Unsecured proxy infrastructure provides threat actors with a reliable and low- cost method to gain persistent access to trusted networks at scale.

Trending Topics

Hunter Strategy / 59d
While LogMeIn Resolve is a legitimate enterprise tool, its silent installation inside a wallet installer strongly indicates abuse, as RMM software is commonly leveraged by threat actors for long-term access prior to follow-on activity, including credential harvesting, wallet compromise, or manual post-exploitation. The RondoDoX activity highlights the increasing convergence of web exploitation and IoT botnet operations, underscoring the need for rapid patching of internet-facing frameworks, strict segmentation of embedded devices, and continuous behavioral monitoring to detect fileless execution, botnet cleanup routines, and outbound connections to evolving attacker infrastructure.

How CVE-2025-54322 is Turning 70,000+ Corporate Gateways into Hacker Backdoors

Cyberdudebivash / 2mo
The vulnerability resides within the vLogin.py script—the gatekeeper for administrative access—where an attacker can execute arbitrary Python code by sending base64-encoded malicious code through the parameter. [Forensic Visualization: Attack Flow: Unauthenticated Request -> /webInfos/ -> chkid=[base64_payload] -> Python eval() -> Root Shell]

News

8 changes (2 new | 6 updated):

Recent Commits to cvelistV5:main / 33d
8 changes (2 new 6 updated): - 2 new CVEs: CVE-2025-65889, CVE-2025-65890 - 6 updated CVEs: CVE-2025-68057, CVE-2025-68058, CVE-2025-68059, CVE-2025-68912, CVE-2025-7195, CVE-2026-22458

2026s Unsettling Opening Act

Cybersecurity Leadership / 41d
2026s Unsettling Opening Act It’s only January, but I’ve already witnessed a seismic shift in how threats operate. Gone are the days of purely manual, or even semi-automated, attacks. We’re now contending with adversaries leveraging artificial intelligence in ways that were once confined to sci-fi thrillers. This isn’t just a prediction; it’s a stark reality unfolding before our eyes. From LunaLock to Weaponized Gemini: Our AI is Being Turned Against Us One of the most concerning trends I’ve researched extensively involves the emergence of what I call “agentic” ransomware. We’re talking about malware like LunaLock and PromptLock – these aren’t your grandpa’s crypto-lockers. These are AI-powered beasts that learn, adapt, and even reason about your network’s defenses in real-time. Imagine a piece of ransomware that autonomously identifies your critical data, finds the path of least resistance, and executes its payload with chilling precision. And it gets more personal.

⚡ Weekly Recap: AI Automation Exploits, Telecom Espionage, Prompt Poaching & More

The Cyber Security News / 50d
Maximum Severity Security Flaw Disclosed in n8n — A maximum-severity vulnerability in the n8n workflow automation platform permits unauthenticated remote code execution and potential full system compromise. China-Linked UAT-7290 Targets Telecoms with Linux Malware — A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290.

⚡ Weekly Recap: AI Automation Exploits, Telecom Espionage, Prompt Poaching & More

The Hacker News / 50d
Security researcher Dhiraj Mishra, who reported the flaw in October 2025, said it can be abused to run arbitrary commands on the developer's machine by taking advantage of the fact that GitLab Merge Request Helper passes repository paths to a sub-process without enclosing them in quotes, enabling an attacker to incorporate shell meta-characters and achieve command execution. China-Linked UAT-7290 Targets Telecoms with Linux Malware — A long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia has been attributed to a sophisticated threat actor tracked as UAT-7290.

Weekly Intelligence Report - 09 January 2026

CYFIRMA Press Releases / 54d
Rather than relying on traditional infection techniques, Kimwolf spreads by exploiting weaknesses in residential proxy networks, allowing attackers to gain access to devices that are unknowingly exposed through poorly secured proxy services. Unsecured proxy infrastructure provides threat actors with a reliable and low- cost method to gain persistent access to trusted networks at scale.
See 91 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High
Base Score:10

Categories

CVSS 10(24495)CWE-95(115)CWE-94(6039)Xspeeder()

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial