Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipul...
Description
Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters
Remediation
Apply vendor patches immediately. Review database access controls and enable query logging.
---METADATA---
VENDOR: Sapido
PRODUCT: RB-1732
AFFECTED_VERSIONS: V2.0.43
---END_METADATA---
Description Summary:
Sapido RB-1732 V2.0.43 is vulnerable to unauthenticated remote command execution via the formSysCmd endpoint, allowing attackers to execute arbitrary shell commands with router privileges.
Executive Summary:
An unauthenticated remote command execution vulnerability in Sapido RB-1732 routers allows attackers to gain full administrative control of the device by sending malicious POST requests.
Vulnerability Details
CVE-ID: CVE-2019-25487
Affected Software: Sapido RB-1732
Affected Versions: V2.0.43
Vulnerability: This critical flaw involves a remote command execution (RCE) vulnerability within the
formSysCmdendpoint. An unauthenticated attacker can supply arbitrary shell commands through thesysCmdparameter in a POST request, which the system executes with high-level router privileges.Business Impact
A successful exploit grants an attacker total control over the network router, leading to potential traffic interception, DNS hijacking, and a complete breach of the local network perimeter. The CVSS score of 9.8 reflects the critical nature of this vulnerability, as it requires no user interaction or authentication to achieve full system compromise.
Remediation Plan
Immediate Action: Administrators should immediately update Sapido RB-1732 devices to the latest available firmware version or replace the legacy hardware if updates are no longer supported.
Proactive Monitoring: Monitor network traffic for unusual POST requests directed at the
/formSysCmdendpoint and review router logs for unauthorized configuration changes.Compensating Controls: Restrict access to the router’s web management interface to trusted internal IP addresses only and disable remote management features over the WAN.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Mar 11, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw and the unauthenticated RCE vector, the potential for automated exploitation by botnets is extremely high.
Analyst Recommendation
This vulnerability represents a significant risk to network integrity and data privacy. Organizations using this hardware must prioritize firmware updates or hardware decommissioning immediately to prevent unauthorized access and potential lateral movement within the network.