CVE-2019-25487

Name of the Vulnerable Software and Affected Versions SAPIDO RB-1732 version 2.0.43

Description The device contains a remote command execution issue that allows attackers to execute arbitrary system commands without authentication. Attackers can send malicious input to the formSysCmd API endpoint. Specifically, attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges.

Recommendations Apply input validation to the sysCmd parameter of the formSysCmd API endpoint. Restrict access to the formSysCmd endpoint. Disable the formSysCmd endpoint if it is not essential for device operation.