CVE-2019-25487 PUBLISHED

SAPIDO RB-1732 V2.0.43 Remote Command Execution via formSysCmd

Assigner: VulnCheck
Reserved: 23.02.2026 Published: 11.03.2026 Updated: 11.03.2026

SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Sapido
Product RB-1732
Versions Default: unaffected
  • Version 2.0.43 is affected

Credits

  • k1nm3n.aotoi finder

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE