Skip to main content

Isap Smart Collector

2 CVEs product

Monthly

CVE-2026-22313 CRITICAL Act Now

OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. No public exploit identified at time of analysis, and the flaw was disclosed through ENISA via the Italian CVCN national coordination center.

Command Injection Isap Smart Collector
NVD VulDB
CVSS 3.1
9.1
EPSS
0.9%
CVE-2026-22312 HIGH This Week

Authentication bypass in Radiflow iSAP Smart Collector exposes a REST API protected only by a hardcoded constant token, allowing remote attackers to read system settings, modify device configuration, and trigger commands such as a system reboot. The constant token effectively negates authentication, making the API exploitable by anyone who can reach the device's web server. No public exploit identified at time of analysis, but the CVSS 8.6 (high) score reflects network-reachable, unauthenticated, low-complexity abuse leading to high integrity impact.

Authentication Bypass Isap Smart Collector
NVD VulDB
CVSS 3.1
8.6
EPSS
0.2%
EPSS 1% CVSS 9.1
CRITICAL Act Now

OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. No public exploit identified at time of analysis, and the flaw was disclosed through ENISA via the Italian CVCN national coordination center.

Command Injection Isap Smart Collector
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Authentication bypass in Radiflow iSAP Smart Collector exposes a REST API protected only by a hardcoded constant token, allowing remote attackers to read system settings, modify device configuration, and trigger commands such as a system reboot. The constant token effectively negates authentication, making the API exploitable by anyone who can reach the device's web server. No public exploit identified at time of analysis, but the CVSS 8.6 (high) score reflects network-reachable, unauthenticated, low-complexity abuse leading to high integrity impact.

Authentication Bypass Isap Smart Collector
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy