CVE-2025-3499 PUBLISHED

Unauthenticated execution of arbitrary commands in Radiflow iSAP Smart Collector

Assigner: ENISA
Reserved: 10.04.2025 Published: 09.07.2025 Updated: 09.07.2025

The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary commands that are executed with administrative permissions by the underlying operating system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Radiflow
Product	iSAP Smart Collector
Versions	Default: unaffected affected from 1.20 to 3.02-1 (excl.)

References

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3499

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command (’OS Command Injection’) CWE