Cyber Resilience

CVE-2019-25487

CriticalPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0836 94.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2019-25487 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-25487 is a remote command execution vulnerability affecting the SAPIDO RB-1732 router on firmware version V2.0.43. The issue arises in the formSysCmd endpoint, where unauthenticated attackers can submit malicious input through POST requests containing shell commands in the sysCmd parameter, leading to arbitrary system command execution on the device.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required, earning it a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows attackers to execute code with router privileges, potentially compromising confidentiality, integrity, and availability of the device.

Advisories referenced in VulnCheck and an Exploit-DB entry (exploit 47031) describe the vulnerability and proof-of-concept exploitation details. No specific patches or mitigation guidance is detailed in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute…

more

code on the device with router privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Unauthenticated RCE via public-facing router web endpoint (formSysCmd) enables exploitation of public-facing application (T1190) and arbitrary shell command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41471Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639
CVE-2019-25235Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-40600Shared CWE-639
CVE-2026-5396Shared CWE-639

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the sysCmd parameter input to the formSysCmd endpoint, directly preventing arbitrary command injection and execution.

prevent

Enforces approved authorizations, requiring authentication before access to the formSysCmd endpoint and blocking unauthenticated remote attackers.

prevent

Mandates timely identification, reporting, and correction of the specific command execution flaw in the router firmware, eliminating the vulnerability.

References