CVE-2026-22312 PUBLISHED

Use of Hard-coded Credentials Vulnerability in Radiflow iSAP Smart Collector

Assigner: ENISA
Reserved: 07.01.2026 Published: 16.06.2026 Updated: 17.06.2026

The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CVSS Score: 8.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Radiflow
Product	iSAP Smart Collector
Versions	Default: unaffected Version 3.07-1 is affected

References

https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22312

Problem Types

CWE-798: Use of Hard-coded Credentials CWE