CVE-2025-3498
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-07-10
Assigner: ENISA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| radiflow | isap_smart_collector | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an unauthenticated user who has access to the management network to access and modify the configuration of the Radiflow iSAP Smart Collector device. The device runs CentOS 7 with VSAP 1.20 and exposes two web servers with unauthenticated REST APIs on TCP ports 8084 and 8086. An attacker can use these APIs to retrieve all system settings, change the configuration, and execute certain commands such as rebooting the system.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized disclosure of system settings (confidentiality loss), unauthorized modification of device configuration (integrity loss), and disruption of device availability through commands like system reboot. This can lead to compromised device operation, potential network disruptions, and unauthorized control over the affected system.