CVE-2025-3499 is a critical OS command injection vulnerability affecting Radiflow's iSAP Smart Collector device, specifically version 1.20. The device runs two web servers exposing unauthenticated REST APIs on the management network via TCP ports 8084 and 8086. These APIs do not properly sanitize input, allowing an attacker to inject arbitrary OS commands. Because the commands are executed with administrative privileges by the underlying operating system, exploitation can lead to full system compromise. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that special characters or command elements are not properly filtered or escaped before being passed to the OS shell. The CVSS v3.1 base score is 10.0 (critical), reflecting the vulnerability's ease of remote exploitation without authentication or user interaction, and its complete impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the vulnerability's characteristics make it a prime target for attackers aiming to gain control over industrial or critical infrastructure environments where the iSAP Smart Collector is deployed. The iSAP Smart Collector is typically used in industrial network monitoring and security, meaning successful exploitation could allow attackers to manipulate monitoring data, disrupt industrial processes, or pivot deeper into operational technology (OT) networks. The vulnerability affects only version 1.20, and no patches have been published at the time of disclosure. The presence of unauthenticated REST APIs on management networks significantly increases the attack surface, as attackers do not require credentials or user interaction to exploit this flaw.

For European organizations, especially those operating in critical infrastructure sectors such as energy, manufacturing, and utilities, this vulnerability poses a severe risk. The iSAP Smart Collector is used for industrial network security monitoring, so a successful attack could undermine the integrity and availability of security monitoring data, potentially allowing attackers to mask malicious activities or cause operational disruptions. The administrative-level command execution capability means attackers can deploy malware, alter configurations, or disable security controls, leading to prolonged undetected intrusions. This could result in operational downtime, safety hazards, data breaches, and regulatory non-compliance under frameworks like NIS2 and GDPR. Given the criticality of industrial control systems in Europe and the increasing targeting of OT environments by threat actors, this vulnerability could facilitate attacks that have cascading effects beyond IT systems, impacting physical processes and public safety. The lack of authentication and the exposure of vulnerable APIs on management networks further exacerbate the risk, as internal network segmentation failures or insider threats could easily exploit this flaw.

Immediate mitigation steps include isolating the affected iSAP Smart Collector devices from untrusted networks and restricting access to the management network ports 8084 and 8086 using network segmentation and firewall rules. Organizations should implement strict access controls, allowing only trusted administrators to reach these APIs. Monitoring network traffic for unusual commands or connections to these ports can help detect exploitation attempts. Since no patches are currently available, consider deploying virtual patching via intrusion prevention systems (IPS) that can detect and block OS command injection patterns targeting these APIs. Vendors and users should prioritize obtaining and applying vendor-supplied patches or firmware updates as soon as they are released. Additionally, conducting a thorough audit of all devices running version 1.20 and replacing or upgrading them if patching is not feasible is recommended. Implementing application-layer gateways or API gateways that validate and sanitize inputs before forwarding requests to the device can also reduce risk. Finally, reviewing and enhancing logging and alerting on these devices will improve incident response capabilities.