CVE-2025-54322

Exploit

EPSS 0.25%
Veröffentlicht 27.12.2025 00:00:00
Zuletzt bearbeitet 09.01.2026 20:33:24
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xspeeder ≫ Sxzos Version <= 2025-12-26

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.484

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cve@mitre.org	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

https://www.xspeeder.com

Product

https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-54322

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54322

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54322

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-54322