Skip to main content

Radiflow iSAP Smart Collector EUVDEUVD-2026-37199

| CVE-2026-22312 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-06-16 ENISA GHSA-rjmc-8p4f-6f8p
8.6
CVSS 3.1 · Vendor: ENISA
Share

Severity by source

Vendor (ENISA) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
vuln.today AI
8.6 HIGH

Network-reachable REST API authenticated by a hardcoded constant token (PR:N, AC:L); attacker can read and modify configuration (C:L/I:H) and trigger reboots (A:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (ENISA).

CVSS VectorVendor: ENISA

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 19:46 vuln.today
CVE Published
Jun 16, 2026 - 18:19 cve.org
HIGH 8.6

DescriptionCVE.org

The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).

AnalysisAI

Authentication bypass in Radiflow iSAP Smart Collector exposes a REST API protected only by a hardcoded constant token, allowing remote attackers to read system settings, modify device configuration, and trigger commands such as a system reboot. The constant token effectively negates authentication, making the API exploitable by anyone who can reach the device's web server. No public exploit identified at time of analysis, but the CVSS 8.6 (high) score reflects network-reachable, unauthenticated, low-complexity abuse leading to high integrity impact.

Technical ContextAI

The vulnerability sits in the device's embedded web server, which exposes a REST API for management. CWE-798 (Use of Hard-coded Credentials) describes exactly this class of flaw: the static token is shipped within the firmware and is therefore identical across deployments, so any party that obtains or recovers it - through firmware analysis, documentation leakage, or simple reuse - can authenticate to every device of that model. The affected CPE is cpe:2.3:a:radiflow:isap_smart_collector across all versions listed, indicating the iSAP Smart Collector, an OT/ICS data collection appliance typically deployed in industrial networks to aggregate telemetry from operational technology assets.

RemediationAI

No vendor-released patch identified at time of analysis based on the supplied references, so the primary action is to contact Radiflow for a firmware update that removes or replaces the hardcoded API token with per-device credentials, and to monitor https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22312 for advisory updates. Compensating controls until a patch is applied: place the iSAP Smart Collector on a strictly segmented management VLAN reachable only from a jump host (eliminates remote attacker reachability but may complicate legitimate operator access), block inbound access to the device's web server port at the upstream firewall except from explicit management IPs (denies API access from unauthorized hosts but breaks any tools that connect from elsewhere), and enable network traffic monitoring for unexpected REST calls to the device - particularly configuration-change and reboot endpoints - to detect abuse if the token is leveraged. Avoid simply rotating the token, since CWE-798 implies it is fixed in firmware and not user-configurable.

Share

EUVD-2026-37199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy