Xspeeder SXZOS Unauthenticated Root Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Xspeeder's SXZOS firmware, affecting devices through December 26, 2025. The issue arises from the vLogin.py script, which decodes base64-encoded Python code in the chkid parameter. Exploitation of this vulnerability allows for execution of arbitrary commands with root privileges. The vulnerability is present in a Django web application, where the chkid parameter is processed by the vLogin view. The application includes a middleware layer that performs basic anti-bot checks and session management, but these defenses can be easily bypassed.

Impact

Exploitation of this vulnerability leads to unauthenticated remote code execution with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP GET request to the device's web interface. The request must include the title and oIp parameters, along with a base64-encoded payload in the chkid parameter. The payload should be crafted to include a command that, when executed, connects back to the attacker's listener.