CVE-2025-3498 — CRITICAL (9.9)

Vulnerability Description

An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). An attacker can use these APIs to get access to all system settings, modify the configuration and execute some commands (e.g., system reboot).

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Related Weaknesses (CWE)

CWE-306

References

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3498

FAQ

What is CVE-2025-3498?

CVE-2025-3498 is a vulnerability with a CVSS score of 9.9 (CRITICAL). An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device has two web servers that expose unauthent...

How severe is CVE-2025-3498?

CVE-2025-3498 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-3498?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.