Description
The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary commands that are executed with administrative permissions by the underlying operating system.
References (1)
Core 1
Core References
Various Sources government-resource
https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3499
Scores
CVSS v3
10.0
EPSS
0.0103
EPSS Percentile
59.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
Radiflow/iSAP Smart Collector
1.20 - 3.02-1
Published
Jul 09, 2025
Tracked Since
Feb 18, 2026