CVE-2025-54322 CRITICAL

CVE-2025-54322

Vendor Xspeeder
Product SXZOS
Weakness CWE-95 · Eval injection
Published December 27, 2025
Last update December 29, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Key dates

02Disclosure timeline

December 27, 2025 CVE published
December 29, 2025 Record updated