K1Nm3N.Aotoi

**Name of the Vulnerable Software and Affected Versions** SAPIDO RB-1732 version 2.0.43 **Description** The device contains a remote command execution issue that allows attackers to execute arbitrary system commands without authentication. Attackers can send malicious input to the `formSysCmd` API endpoint. Specifically, attackers can send POST requests with the `sysCmd` parameter containing shell commands to execute code on the device with router privileges. **Recommendations** Apply input validation to the `sysCmd` parameter of the `formSysCmd` API endpoint. Restrict access to the `formSysCmd` endpoint. Disable the `formSysCmd` endpoint if it is not essential for device operation.