CVE-2025-54322: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in Xspeeder SXZOS
Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
CVE-2025-54322: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in Xspeeder SXZOS
Description
Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2025-07-20T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 694feb64dfed7fcf239b9ee3
Added to database: 12/27/2025, 2:21:24 PM
Last updated: 12/27/2025, 5:36:21 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15108: Use of Hard-coded Cryptographic Key in PandaXGO PandaX
MediumCVE-2025-15106: Improper Authorization in getmaxun maxun
MediumCVE-2025-15107: Use of Hard-coded Cryptographic Key in actiontech sqle
MediumCVE-2025-15105: Use of Hard-coded Cryptographic Key in getmaxun maxun
MediumCVE-2025-68952: CWE-94: Improper Control of Generation of Code ('Code Injection') in eigent-ai eigent
CriticalActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.