Key Findings

• Vulnerability CVE-2025-54322 in XSpeeder networking devices allows for remote root access without a password.

• The vulnerability earned a perfect 10.0 (Critical) CVSS score, the highest possible threat rating.

• The vulnerability was discovered by the research firm pwn.ai using its proprietary AI tool.

• Over 70,000 XSpeeder devices are currently exposed online due to this vulnerability.

• Despite the research team's 7-month effort to notify the vendor, XSpeeder has not issued any patch or advisory to address the issue.

Background

XSpeeder is a Chinese vendor known for "edge" devices like routers, SD-WAN appliances, and smart TV controllers. Their core software, SXZOS, is used heavily in factories and remote offices.

To find the vulnerability, the pwn.ai tool tasked its "swarm" of AI agents to emulate these devices and hunt for weaknesses. These agents use a custom architecture built on decades of hacking experience to copy a device's behaviour and scan it for holes.

According to the technical research, the AI targeted a file called `vLogin.py` and found that by stuffing malicious code into a data field called the `chkid` parameter, it could trick the device into running its own commands. Researchers noted this is "the first agent-found, remotely exploitable 0-day" ever made public.

Vendor Unresponsive for 7 Months

While the discovery of the vulnerability by an AI tool is impressive, the real issue lies in the vendor's lack of response. The pwn.ai team spent over 7 months trying to get XSpeeder to fix the issue, but unfortunately, "no patch or advisory has been issued."

"We chose it as our first disclosure because, unlike other vendors, we have been unable to get any response from XSpeeder despite more than seven months of outreach. As a result, at the time of publication, this unfortunately remains to be a zero-day vulnerability," researchers wrote.

Massive Risk Exposure

With no fix in sight and 70,000 systems currently exposed online, the risk to industrial and branch environments is massive. The blog post revealed that a hacker doesn't need to be a genius to exploit this vulnerability; "all the attacker needs to know is the IP of the target."

Pwn.ai's investigation shows that its tool has already found nearly 20 other major vulnerabilities, making it clear that the way we find and fight security vulnerabilities has changed forever.

Vendor Responsiveness Issues

The XSpeeder case is not an isolated incident. Vendors often ignore or downplay vulnerability reports, even from reputable researchers. A recent example involves Eurostar, the European train service giant, which accused researchers from Pen Test Partners of blackmail after they reported serious flaws in its AI-powered chatbot.

Incidents like this aren't rare. They've happened around the world, which may be why countries like Portugal have started updating their cybercrime laws to protect ethical hackers and researchers from prosecution simply for identifying and reporting security issues.

Sources

• https://hackread.com/xspeeder-0day-flaw-devices-vendor-ignores-alert/

• https://x.com/HackRead/status/2005618940979073223

• https://www.reddit.com/r/pwnhub/comments/1pysw6m/critical_0day_flaw_exposes_70k_xspeeder_devices/