OS Command Injection Vulnerability in Device Management Servers by Vendor
CVE-2025-3499

10CRITICAL

Key Information:

Vendor

Radiflow

Vendor
CVE Published:
9 July 2025

What is CVE-2025-3499?

The affected device management servers expose unauthenticated REST APIs on TCP ports 8084 and 8086, allowing attackers to exploit OS command injection vulnerabilities. This facilitates the execution of arbitrary commands with administrative permissions on the operating system, posing serious security risks.

Affected Version(s)

iSAP Smart Collector Linux 1.20 < 3.02-1

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-3499 : OS Command Injection Vulnerability in Device Management Servers by Vendor