Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
REST API is network-reachable on the management interface (AV:N, AC:L), requires a valid admin token (PR:H), no user interaction, and OS command execution as admin breaks out of the web app's authorization scope (S:C) with full CIA impact.
Primary rating from Vendor (ENISA).
CVSS VectorVendor: ENISA
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.
AnalysisAI
OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. No public exploit identified at time of analysis, and the flaw was disclosed through ENISA via the Italian CVCN national coordination center.
Technical ContextAI
The iSAP Smart Collector is a Radiflow industrial cyber-security appliance used to passively collect, parse, and forward telemetry from OT/ICS networks to Radiflow's iSID/iCEN monitoring platforms. It exposes a management web server providing a REST API that authenticates clients with a bearer token. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates that one or more API endpoints pass attacker-controlled input into a shell or system() call without proper sanitization or argument separation, so shell metacharacters (;, |, &&, backticks, $()) injected into a parameter are interpreted by the OS and executed under the privileged service account that runs the web server. The CPE confirms all versions of cpe:2.3:a:radiflow:isap_smart_collector are listed as affected, with no upper version bound published.
RemediationAI
No vendor-released patch identified at time of analysis in the provided data, so operators should consult Radiflow PSIRT directly and monitor the CVCN advisory at https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22313 for a fixed firmware version. As compensating controls, strictly isolate the iSAP Smart Collector management interface on a dedicated management VLAN reachable only from a hardened jump host (side effect: legitimate API integrations from SOC tooling must be re-routed); rotate and tightly scope the REST API authentication tokens, and revoke any shared or long-lived tokens (side effect: requires updating any automation that consumed them); restrict outbound connectivity from the collector to break post-exploitation command-and-control (side effect: may impact telemetry forwarding to iCEN/iSID if those flows are not explicitly allow-listed); and enable detailed REST API access and process-execution logging, forwarding to a SIEM to detect shell-metacharacter patterns in API parameters.
More in Isap Smart Collector
View allSame weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37206
GHSA-rvj8-j4f2-ffj6