Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Network-reachable REST API authenticated by a hardcoded constant token (PR:N, AC:L); attacker can read and modify configuration (C:L/I:H) and trigger reboots (A:L).
Primary rating from Vendor (ENISA).
CVSS VectorVendor: ENISA
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).
AnalysisAI
Authentication bypass in Radiflow iSAP Smart Collector exposes a REST API protected only by a hardcoded constant token, allowing remote attackers to read system settings, modify device configuration, and trigger commands such as a system reboot. The constant token effectively negates authentication, making the API exploitable by anyone who can reach the device's web server. No public exploit identified at time of analysis, but the CVSS 8.6 (high) score reflects network-reachable, unauthenticated, low-complexity abuse leading to high integrity impact.
Technical ContextAI
The vulnerability sits in the device's embedded web server, which exposes a REST API for management. CWE-798 (Use of Hard-coded Credentials) describes exactly this class of flaw: the static token is shipped within the firmware and is therefore identical across deployments, so any party that obtains or recovers it - through firmware analysis, documentation leakage, or simple reuse - can authenticate to every device of that model. The affected CPE is cpe:2.3:a:radiflow:isap_smart_collector across all versions listed, indicating the iSAP Smart Collector, an OT/ICS data collection appliance typically deployed in industrial networks to aggregate telemetry from operational technology assets.
RemediationAI
No vendor-released patch identified at time of analysis based on the supplied references, so the primary action is to contact Radiflow for a firmware update that removes or replaces the hardcoded API token with per-device credentials, and to monitor https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22312 for advisory updates. Compensating controls until a patch is applied: place the iSAP Smart Collector on a strictly segmented management VLAN reachable only from a jump host (eliminates remote attacker reachability but may complicate legitimate operator access), block inbound access to the device's web server port at the upstream firewall except from explicit management IPs (denies API access from unauthorized hosts but breaks any tools that connect from elsewhere), and enable network traffic monitoring for unexpected REST calls to the device - particularly configuration-change and reboot endpoints - to detect abuse if the token is leveraged. Avoid simply rotating the token, since CWE-798 implies it is fixed in firmware and not user-configurable.
More in Isap Smart Collector
View allSame weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37199
GHSA-rjmc-8p4f-6f8p