CVE-2025-3498CRITICAL 9.9EPSS p19.7%

CVE-2025-3498CVE-2025-3498

Description

An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). An attacker can use these APIs to get access to all system settings, modify the configuration and execute some commands (e.g., system reboot).

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
EPSS0.28% probability of exploitation · percentile 19.7% · 2026-06-19T12:03:05Z
Published2025-07-09
Last modified2026-04-15

Underlying weaknesses· 1

CWE-306

References

  1. https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3498

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-3497
CVE
CVE-2025-3499
CVE
CVE-2025-41648
CVE
CVE-2025-46412
CVE
CVE-2026-34176
CVE
CVE-2025-8284
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.