An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password (โadmin:passwordโ) is used in the Android application that allows attackers to use a hidden API URL โ/goform/SystemCommandโ to execute any command with root permission.