cbcvebase.
CVE-2025-3499
published 2025-07-09

CVE-2025-3499: The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection…

PriorityP276critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.03%
59.3th percentile
The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary commands that are executed with administrative permissions by the underlying operating system.

Affected

1 ranges
VendorProductVersion rangeFixed in
radiflowisap_smart_collector>= 1.20 < 3.02-13.02-1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.