A critical zero-day vulnerability, CVE-2025-54322, has been discovered that enables Unauthenticated Root Remote Command Execution (RCE) in devices running Xspeeder's SXZOS firmware. These networking devices, primarily edge routers and SD-WAN appliances, are extensively used, resulting in an estimated 30,000+ hosts being publicly exposed to full system compromise. The vulnerability was autonomously discovered by the pwn.ai platform. This public disclosure follows six months of unsuccessful attempts to notify the vendor, Xspeeder. The technical findings reveal that the exploit bypasses several superficial defenses, including an Nginx user-agent check and a custom Django GateKeeper middleware that attempts to restrict access using a time-sensitive header nonce and session checks.