CVE-2019-25487

CriticalPublic PoC

Published: 11 March 2026

Published

11 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute…

code on the device with router privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of the sysCmd parameter input to the formSysCmd endpoint, directly preventing arbitrary command injection and execution.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations, requiring authentication before access to the formSysCmd endpoint and blocking unauthenticated remote attackers.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific command execution flaw in the router firmware, eliminating the vulnerability.

Security SummaryAI

CVE-2019-25487 is a remote command execution vulnerability affecting the SAPIDO RB-1732 router on firmware version V2.0.43. The issue arises in the formSysCmd endpoint, where unauthenticated attackers can submit malicious input through POST requests containing shell commands in the sysCmd parameter, leading to arbitrary system command execution on the device.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required, earning it a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to execute code with router privileges, potentially compromising confidentiality, integrity, and availability of the device.

Advisories referenced in VulnCheck and an Exploit-DB entry (exploit 47031) describe the vulnerability and proof-of-concept exploitation details. No specific patches or mitigation guidance is detailed in the provided information.

Details

CWE(s): CWE-639

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE via public-facing router web endpoint (formSysCmd) enables exploitation of public-facing application (T1190) and arbitrary shell command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/47031
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sapido-rb-1732-remote-command-execution-via-formsyscmd
disclosure@vulncheck.com