CVE-2025-3498

Name of the Vulnerable Software and Affected Versions: Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20)

Description: An unauthenticated user with management network access can access and modify the configuration of the Radiflow iSAP Smart Collector. The device has two web servers that expose unauthenticated REST APIs on the management network, specifically on TCP ports 8084 and 8086. An attacker can use these APIs to access all system settings, modify the configuration, and execute certain commands, such as a system reboot.

Recommendations: For Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20), consider disabling access to the unauthenticated REST APIs on TCP ports 8084 and 8086 until a patch is available. Restrict access to the management network to minimize the risk of exploitation. Avoid using the affected APIs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.