In N2WS Backup & Recovery before 4.4.0, a two-step attack against the RESTful API results in remote code execution.