Impact
The webserver of the Radiflow iSAP Smart Collector uses a constant token for authentication, allowing any user to access an unauthenticated REST API. An attacker can retrieve system settings, change configuration, and run privileged commands such as rebooting the device. This flaw is a hard‑coded credential weakness (CWE-798) that can lead to unauthorized administrative control of the device.
Affected Systems
Radiflow iSAP Smart Collector. No specific version information is available; all released versions that ship the default hard‑coded token are affected.
Risk and Exploitability
The CVSS score of 8.6 marks the vulnerability as high severity. The EPSS score, below 1%, suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector relies on network access to the web server’s REST API, so systems exposed to external networks are at risk.
OpenCVE Enrichment