CVSS 10.0 Zero-Day Hits 70,000 XSpeeder Devices

Security researchers at pwn.ai have disclosed a maximum-severity vulnerability affecting over 70,000 XSpeeder network devices worldwide. CVE-2025-54322 carries a perfect CVSS 10.0 score and allows complete remote takeover without any authentication—and there's no patch.

The vulnerability affects XSpeeder's SXZOS firmware, which runs on SD-WAN appliances, edge routers, and smart TV controllers deployed across industrial and branch office environments globally. After seven months of failed attempts to contact XSpeeder, the researchers published full technical details.

Unauthenticated Root Access

The flaw sits in a Django-based web application embedded in the SXZOS firmware. An attacker can send base64-encoded Python code via the chkid parameter to the vLogin.py endpoint, and that code executes with root privileges.

The vulnerable code path uses Python's eval() function on user-supplied input—a textbook command injection pattern that bypasses any filtering through simple encoding tricks. The filtering logic operates on pre-decoded input and relies on static pattern matching, which attackers trivially evade through payload obfuscation.

No credentials required. No prior access needed. Just network connectivity to port 80 or 443 on a vulnerable device.

Who's Exposed

XSpeeder, based in China, manufactures edge networking equipment commonly deployed in remote industrial sites and branch offices where internet connectivity options are limited. According to Fofa and similar fingerprinting services, more than 70,000 SXZOS-based systems sit exposed on the public internet.

The affected device types include:

• SD-WAN appliances connecting branch offices
• Edge routers in industrial environments
• Smart TV controllers (less common but present)

These devices often operate in environments with minimal security oversight—remote facilities where IT support is infrequent and firmware updates are rare. They're exactly the kind of infrastructure that nation-state actors and ransomware groups target for initial access.

No Vendor Response

pwn.ai says it attempted to contact XSpeeder beginning in May 2025. Seven months of outreach through multiple channels produced no response. The researchers ultimately chose disclosure over indefinite silence.

"We chose this as our first report because, unlike other vendors, we were unable to obtain any response from XSpeeder despite over seven months of contact," the disclosure states. The vendor's complete non-engagement left few options beyond public disclosure to warn affected organizations.

This isn't unprecedented. Smaller networking vendors, particularly those primarily serving domestic markets, sometimes lack formal vulnerability disclosure programs or simply ignore foreign researchers. XSpeeder appears to fall into this category.

AI-Discovered Vulnerability

The disclosure carries a footnote that may interest the security community: pwn.ai claims this is the first publicly documented case of an AI system autonomously discovering and confirming an exploitable zero-day vulnerability without human guidance.

Whether this represents a breakthrough or a well-orchestrated demonstration, it signals where vulnerability research may be heading. AI systems capable of finding exploitable flaws faster than human researchers could dramatically compress the window between deployment and discovery.

Mitigation Without a Patch

With no vendor response and no patch forthcoming, organizations running XSpeeder equipment must protect themselves:

1. Isolate affected devices from untrusted networks immediately
2. Block external access to the vulnerable /webInfos/ endpoint at the firewall or WAF
3. Implement network segmentation to limit lateral movement if devices are compromised
4. Monitor for exploitation attempts including unusual traffic to vLogin.py
5. Evaluate replacement options from vendors with active security programs

The last point matters. A vendor that ignores seven months of vulnerability disclosure isn't going to suddenly develop a security culture. Organizations dependent on XSpeeder equipment should factor this into future purchasing decisions.

Exploitation Is Inevitable

A CVSS 10.0 vulnerability with public technical details and no available patch is a worst-case scenario. Exploitation typically begins within hours of disclosure for flaws this severe.

The industrial and branch office environments where XSpeeder devices operate often connect to larger corporate networks. Compromising an edge router provides attackers with a foothold inside network perimeters, bypassing firewalls and VPNs that protect direct internet-facing systems.

Similar network device vulnerabilities—like the MongoDB CVE-2025-14847 that CISA added to its Known Exploited Vulnerabilities catalog—saw rapid exploitation once technical details became available. XSpeeder's smaller install base may reduce volume, but 70,000 exposed devices still represents substantial opportunity.

Broader Implications

Edge networking vendors occupy a precarious position in the supply chain. Their products provide connectivity to remote and critical environments, yet many lack the security resources of major networking vendors. When vulnerabilities emerge, affected organizations may have no recourse beyond replacement.

The SmarterMail CVSS 10.0 disclosure earlier this week demonstrated similar patterns—critical infrastructure software from a vendor with limited security investment creating outsized risk for users.

For security teams, the takeaway is uncomfortable: vendor selection must account for security responsiveness alongside features and price. Products from vendors that ignore vulnerability disclosures become liabilities when—not if—researchers find flaws.

XSpeeder's silence may protect the company from immediate PR damage, but it leaves 70,000+ organizations exposed to a perfect-severity vulnerability with no fix in sight.