CVE-2019-25487 | SAPIDO RB-1732 V2.0.43 contains a remote command execution v… | CVSS 9.8 CRITICAL

Description

SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges.

Metadata

CVE ID: CVE-2019-25487
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-02-23 17:23 UTC
Published: 2026-03-11 18:23 UTC
Last updated: 2026-04-07 14:04 UTC
Primary CWE: CWE-639
CWE-639 Authorization Bypass Through User-Controlled Key
Vendor / Product: Sapido / RB-1732
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Sapido	RB-1732	—	2.0.43

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639 Authorization Bypass Through User-Controlled Key

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

ExploitDB-47031 https://www.exploit-db.com/exploits/47031
VulnCheck Advisory: SAPIDO RB-1732 V2.0.43 Remote Command Execution via formSysCmd https://www.vulncheck.com/advisories/sapido-rb-1732-remote-command-execution-via-formsyscmd