When it comes to cybersecurity, it’s easy to fall into the trap of thinking that problems are always far away, that they only affect others. But the reality is that a vulnerability is always around the corner, ready to strike.
A swarm of autonomous AI agents has discovered a critical flaw in network devices used around the world, and this should ring alarm bells for everyone.
The pwn.ai report details the discovery of a pre-authentication remote code execution (RCE) flaw in devices manufactured by Xspeeder , a Chinese vendor known for its routers and SD-WAN devices. The flaw, tracked as CVE-2025-54322, has a CVSS score of 10, meaning it’s essentially a time bomb waiting to explode. That’s why it’s crucial to acknowledge this vulnerability and understand its implications.
While automated scanners have been around for a while, pwn.ai claims this breakthrough represents a leap forward in capabilities . Their platform autonomously emulated the device’s firmware, identified the attack surface, and designed a way to gain access without human intervention. “ To our knowledge, this is the first published agent-discovered, remotely exploitable 0-day RCE ,” the report states .
Xspeeder SD-WAN devices, powered by the SXZOS core firmware, were targeted by AI agents. These agents, often located in industrial environments and remote locations, are crucial nodes within corporate networks. Aiming to emulate the devices and gain unauthorized control, the agents were given a basic directive. The results were swift and devastating. “They quickly identified a full pre-auth RCE entry point and notified us that they had found a way in,” the researchers explained.
The vulnerability allows an attacker to execute arbitrary system commands without ever logging in. By manipulating specific HTTP headers, specifically using a SXZ/2.3 User-Agent and a computed time-based header X-SXZ-R, the agents were able to bypass security controls in the device’s Nginx middleware.
The vulnerability is currently a zero-day, meaning there is no patch. pwn.ai is said to have attempted to contact Xspeeder for over six months to responsibly disclose the flaw, but has received no response. “We chose this as our first report because, unlike other vendors, we were unable to obtain any response from XSpeeder despite over seven months of contact,” the report reads. “As a result, this unfortunately remains a zero-day vulnerability at the time of publication.”
The vendor’s lack of response is particularly concerning, given the widespread use of these devices. According to fingerprinting services like Fofa, numerous exposed systems have been identified. Tens of thousands of systems based on SXZOS are publicly accessible in various regions of the world, making this firmware, and any potential vulnerabilities it may expose, a large risk area.
Until a patch is released, organizations using Xspeeder SD-WAN devices are advised to isolate those devices from the public internet to prevent potential compromise by threat actors who may now attempt to exploit the findings.
It should be noted that the 0day bug was revealed many months ago; however, the company has only now decided to officially discuss it, following the principle of coordinated vulnerability disclosure, allowing the manufacturer to release the patch with complete confidence. It’s important to note that intelligent agents are gradually gaining importance and will soon be used to automate scanning tasks; nevertheless, it’s crucial to always keep in mind the potential impacts that could occur in operational environments.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
