Skip to main content

Radiflow iSAP Smart Collector EUVDEUVD-2026-37206

| CVE-2026-22313 CRITICAL
OS Command Injection (CWE-78)
2026-06-16 ENISA GHSA-rvj8-j4f2-ffj6
9.1
CVSS 3.1 · Vendor: ENISA
Share

Severity by source

Vendor (ENISA) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

REST API is network-reachable on the management interface (AV:N, AC:L), requires a valid admin token (PR:H), no user interaction, and OS command execution as admin breaks out of the web app's authorization scope (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (ENISA).

CVSS VectorVendor: ENISA

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 19:49 vuln.today
CVE Published
Jun 16, 2026 - 18:36 cve.org
CRITICAL 9.1

DescriptionCVE.org

The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.

AnalysisAI

OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. No public exploit identified at time of analysis, and the flaw was disclosed through ENISA via the Italian CVCN national coordination center.

Technical ContextAI

The iSAP Smart Collector is a Radiflow industrial cyber-security appliance used to passively collect, parse, and forward telemetry from OT/ICS networks to Radiflow's iSID/iCEN monitoring platforms. It exposes a management web server providing a REST API that authenticates clients with a bearer token. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates that one or more API endpoints pass attacker-controlled input into a shell or system() call without proper sanitization or argument separation, so shell metacharacters (;, |, &&, backticks, $()) injected into a parameter are interpreted by the OS and executed under the privileged service account that runs the web server. The CPE confirms all versions of cpe:2.3:a:radiflow:isap_smart_collector are listed as affected, with no upper version bound published.

RemediationAI

No vendor-released patch identified at time of analysis in the provided data, so operators should consult Radiflow PSIRT directly and monitor the CVCN advisory at https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22313 for a fixed firmware version. As compensating controls, strictly isolate the iSAP Smart Collector management interface on a dedicated management VLAN reachable only from a hardened jump host (side effect: legitimate API integrations from SOC tooling must be re-routed); rotate and tightly scope the REST API authentication tokens, and revoke any shared or long-lived tokens (side effect: requires updating any automation that consumed them); restrict outbound connectivity from the collector to break post-exploitation command-and-control (side effect: may impact telemetry forwarding to iCEN/iSID if those flows are not explicitly allow-listed); and enable detailed REST API access and process-execution logging, forwarding to a SIEM to detect shell-metacharacter patterns in API parameters.

Share

EUVD-2026-37206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy