CVE-2025-3498

Radiflow · iSAP Smart Collector

The Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is susceptible to unauthorized configuration modification by unauthenticated users with management network access.

Executive summary

An unauthenticated configuration modification vulnerability in the Radiflow iSAP Smart Collector allows unauthorized users to compromise device settings.

Vulnerability

Unauthenticated users with access to the management network can retrieve and modify device configurations, likely due to exposed web services or APIs lacking proper access controls.

Business impact

The ability to modify device configurations allows an attacker to alter the operational behavior of the iSAP Smart Collector, potentially leading to data interception or total service disruption. With a CVSS score of 9.9, this vulnerability poses a severe threat to operational technology environments and industrial control networks.

Remediation

Immediate Action: Update the iSAP Smart Collector to the latest secure version provided by Radiflow to address the unauthorized configuration access flaw.

Proactive Monitoring: Audit configuration logs for unauthorized changes and monitor management network traffic for irregular access attempts.

Compensating Controls: Use strict network segmentation to ensure that the management interface for the iSAP Smart Collector is not reachable from untrusted network segments.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Immediate remediation is critical for this high-severity configuration vulnerability. Organizations should prioritize updating the affected Radiflow units and ensure that management interfaces are strictly guarded to prevent unauthorized access.