Full Report
Xspeeder is a networking vendor that makes routers, SD-WAN appliances, and more. Their core firmware, SXZOS, powers a line of SD-WAN devices that are especially prevalent across remote industrial and branch environments. The company that made this post is pwn.ai - autonomous hacking. The AI starts with nothing but a target and figures it out. From device emulation via VirtualBox to attack surface identification to finding and exploiting an RCE bug. They published the logs of what the AI was doing/doing, which is really interesting. The installation of the ISO and usage in qemu is pretty straightforward. After that, it performs file system reconnaissance to locate a Django service. In the Django service, the bot finds the pre-auth attack surface. This is its target. Within the unauthenticated GateKeeper, some code finds that uses a vulnerable sink; this was found through a simple grep for known bad things in Python, such as eval() and os.system(). At the end, it needs to create the request. The data is base64 encoded so they must prepare this. Additionally, since the real purpose of this is to convert a string to a dictionary, the fields in the payload must be strings. There are a few headers that must be set but this wasn't a problem for the bot. This vulnerability is absolutely a low-hanging fruit. But, it was able to setup the IoT device and find the vulnerability all by itself. If computers can run all day, there's no stopping these bots from finding all of the bugs like this. Good find!
Analysis Summary
# Vulnerability: Pre-Authentication Remote Code Execution in XSpeeder SXZOS Firmware
## CVE Details
- CVE ID: CVE-2025-54322 (As identified in the source material, this is a reported ZERODAY)
- CVSS Score: Not explicitly provided, but described as an RCE leading to Root privileges.
- CWE: CWE-94: Improper Control of Generation of Code ('Code Injection') or CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') is likely, given the use of dangerous functions.
## Affected Systems
- Products: XSpeeder SD-WAN devices powered by SXZOS firmware.
- Versions: Specific vulnerable versions are not detailed in the summary, but note that the vulnerability exists in the implementation of the **GateKeeper** middleware and a subsequent Django service.
- Configurations: Applicable to publicly accessible installations of the SXZOS web UI.
## Vulnerability Description
The vulnerability exists within an unauthenticated path protected by custom Django middleware named `GateKeeper`. The AI identified a service utilizing a Django framework component where code execution was possible. The specific flaw resides in a view function that uses dangerous sinks identified through static analysis (like `eval()` or `os.system()`). The execution path requires the attacker to successfully bypass several gatekeeping mechanisms layered in Nginx and Django middleware before reaching the vulnerable sink:
1. **Nginx User-Agent Check:** The request must include a User-Agent string matching 'SXZ'.
2. **GateKeeper Middleware:**
* A time-synchronized header `X-SXZ-R` must match the current minute's calculated nonce.
* A valid session ID must exist in the request cookies (session "warm-up" required).
* A superficial check on the `chkid` GET parameter (for the string 'system') must be avoided or bypassed (achieved by encoding the exploit payload correctly and ensuring required string fields are present).
Once past these layers, the payload—which passes through a base64 decoding stage—is fed into a function vulnerable to code execution.
## Exploitation
- Status: **PoC available**. This finding is described as a weaponized Zero-Day exploited autonomously by an AI system ("pwn.ai").
- Complexity: **Low**, provided the bypass conditions (especially the time-sensitive header) can be met.
- Attack Vector: **Network** (Unauthenticated Pre-Authentication RCE).
- Impact: The exploit results in **Root** command execution on the underlying device.
## Impact
- Confidentiality: **High** (Root access allows extraction of any system data).
- Integrity: **High** (Root access allows modification or destruction of system binaries/data).
- Availability: **High** (Root access allows for device shutdown or persistence compromise).
## Remediation
### Patches
- No specific patch version is listed as XSpeeder has reportedly been unresponsive to outreach, leaving this as a zero-day at the time of publication.
### Workarounds
- **Network Segmentation/Access Control:** Restrict all external access to the SXZOS web management interface. Only allow access from trusted, internal networks or via VPN.
- **Header Integrity:** Monitor for requests containing the expected `X-SXZ-R` pattern but lacking the required session warmth or containing suspicious base64 values in relevant parameters.
## Detection
- **Indicators of Compromise (IoCs):**
* Unusually high traffic to the SXZOS web interface originating from external IPs.
* Requests containing base64 encoded data in URL parameters like `chkid` or other input fields destined for the web service.
* System logs indicating execution of unusual shell commands from the web process user context.
- **Detection Methods and Tools:**
* Integrate monitoring for the specific bypass headers (`X-SXZ-R`, `User-Agent: SXZ/*`).
* Web Application Firewalls (WAFs) should be configured to flag attempts to use known dangerous operations (`eval`, `os.system`) even if they are obfuscated or base64 encoded, if the decoding logic is known.
## References
- [Vendor Advisory/Official Fix]: None known/available at the time of writing.
- [Relevant research link]: pwn.ai blog post detailing the autonomous discovery (URL omitted as per instruction).