Main Vulnerability Database Vulnerabilities #VU120875

Code Injection in SXZOS - CVE-2025-54322

Published: December 31, 2025 / Updated: January 9, 2026

Vulnerability identifier: #VU120875

CSH Severity: Critical

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red

CVE-ID: CVE-2025-54322

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Xspeeder

Affected software:
SXZOS

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a missing input validation in vLogin.py script when processing based64-encoded data. A remote non-authenticated attacker can send a specially crafted HTTP request with encoded Pythin code and execute it on the system with root privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2025-54322

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts

Code Injection in SXZOS - CVE-2025-54322

Detailed vulnerability description

How to mitigate CVE-2025-54322

Sources

Please verify you're human