An issue exists in RWS WorldServer prior to 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host.
rws worldserver