CVE-2019-25487
SAPIDO RB-1732 V2.0.43 Remote Command Execution via formSysCmd
In short
A router model SAPIDO RB-1732 allows anyone on the network to run system commands without needing a password. An attacker can send specially crafted requests to execute code with full router privileges.
Technical detail
Unauthenticated remote command execution vulnerability in SAPIDO RB-1732 V2.0.43 formSysCmd endpoint. POST requests with unsanitized sysCmd parameter are executed directly as system commands with router privileges; no authentication or special conditions required.
Summary generated and translated by AI from the official description.
SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Sapido · RB-1732public PoCs found — 1
cve_referencewww.exploit-db.com/exploits/47031unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →