CVE-2025-54322 (CVSS 10): AI Agents Uncover Critical Zero-Day in Global Networking Gear

A swarm of autonomous AI agents has successfully discovered a critical, unpatched vulnerability in networking gear used across the globe. A new report from pwn.ai details the discovery of a pre-authentication Remote Code Execution (RCE) flaw in devices manufactured by Xspeeder, a Chinese vendor known for its routers and SD-WAN appliances. This flaw is tracked as CVE-2025-54322, and has a CVSS score of 10.

While automated scanners have long existed, pwn.ai claims this discovery represents a leap forward in capability. Their platform autonomously emulated the device firmware, identified the attack surface, and engineered a way in without human hand-holding.

“To our knowledge, this is the first agent-found, remotely exploitable 0day RCE published,” the report states.

The AI agents targeted SXZOS, the core firmware powering Xspeeder’s SD-WAN devices. These devices are frequently deployed in remote industrial and branch environments, making them critical nodes in enterprise networks.

The agents were given a simple directive: emulate the device and try to achieve unauthorized control. The results were swift and devastating.

“It quickly identified a full preauth RCE entry point and told us it found a way in,” the researchers explained .

The vulnerability allows an attacker to execute arbitrary system commands without ever logging in. By manipulating specific HTTP headers—specifically using a User-Agent of SXZ/2.3 and a calculated X-SXZ-R time-based header—the agents were able to bypass security controls in the device’s Nginx middleware.

The vulnerability is currently a zero-day, meaning no patch exists. pwn.ai reportedly attempted to contact Xspeeder for over half a year to disclose the flaw responsibly but received radio silence.

“We chose it as our first disclosure because, unlike other vendors, we have been unable to get any response from XSpeeder despite more than seven months of outreach,” the report notes. “As a result, at the time of publication, this unfortunately remains to be a zero-day vulnerability”.

The silence from the vendor is particularly alarming given the widespread deployment of these devices. Fingerprinting services like Fofa have identified a massive footprint of exposed systems.

“There are tens of thousands of publicly accessible SXZOS-based systems globally in various geographic regions, making this firmware and any potential vulnerability it exposes, a widespread risk surface”.

Until a patch is released, organizations using Xspeeder SD-WAN appliances are urged to isolate these devices from the public internet to prevent potential compromise by threat actors who may now race to exploit the findings.

Related Posts:

• Shimano Di2 Wireless Protocol: Critical Vulnerabilities Uncovered
• 30 Exploitable Flaws: Alarming Study on Home Router Defaults
• Mozilla releases security patch to fix 10 flaws in Thunderbird
• VMware SD-WAN Vulnerabilities Pose Risk to Network Security, Patches Released
• Oracle’s January 2025 Critical Patch Update: Addressing 320 Security Vulnerabilities