meer/cve2025_54322-PoC
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
a PoC repo on the critical SXZOS CVE-2025-54322 vulnerability
2 commits 1 branch 0 tags 33 KiB
  • Go 100%
Find a file
Exact
meera ed11e5054e made the Poc and the README
2026-03-30 16:36:19 +03:00
.gitignore made the Poc and the README 2026-03-30 16:36:19 +03:00
LICENSE Initial commit 2026-03-30 13:05:55 +00:00
PoC.go made the Poc and the README 2026-03-30 16:36:19 +03:00
README.md made the Poc and the README 2026-03-30 16:36:19 +03:00

README.md

CVE202554322 Proof of Concept

Overview

This repository contains a proofofconcept (PoC) for CVE202554322, a critical remote code execution (RCE) vulnerability affecting Xspeeder SXOS routers.
The vulnerability has been rated CVSS 9.8 (Critical) due to its ease of exploitation and potential for full device compromise.

Vulnerability Description

The flaw stems from an unsafe eval() call in the router firmware from the chkid URL parameter. Untrusted input is evaluated directly, allowing attackers to inject and execute arbitrary Python commands and even scripts.

Impact

  • Remote attackers can gain full control of affected devices.
  • Exploitation requires only network access to the routers management interface.
  • Successful compromise may lead to:
    • Persistent backdoors
    • Traffic interception
    • Pivoting into internal networks

Proof of Concept

This PoC demonstrates the vulnerability by sending crafted input to the vulnerable chkid URL parameter

Usage

Go build PoC.go

with the compiled binary, run it and it will prompt from stdin the target and command to run

Output:

A Go based PoC of CVE-2025-54322
Enter the Target to attack: http://192.168.1.1
Choose an option:
1) Run bash command
2) Run Python script from file

from here, choose your desired option and fill the parameters