Winston 1.5.4 devices are vulnerable to command injection via the API.
winstonprivacy winston_firmware 1.5.4