Main Vulnerability Database Vulnerabilities #VU120875

#VU120875 Code Injection in SXZOS - CVE-2025-54322

Published: December 31, 2025 / Updated: January 9, 2026

Vulnerability identifier: #VU120875

Vulnerability risk: Critical

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red

CVE-ID: CVE-2025-54322

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
SXZOS

Software vendor:
Xspeeder

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a missing input validation in vLogin.py script when processing based64-encoded data. A remote non-authenticated attacker can send a specially crafted HTTP request with encoded Pythin code and execute it on the system with root privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts

#VU120875 Code Injection in SXZOS - CVE-2025-54322

Description

Remediation

External links

Please verify you're human