How is CVE-2026-22312 exploited?

Network reachability (required): The attacker must be able to reach the device's web server over the network; the API is exposed remotely via HTTP/HTTPS with no network-layer restriction built into the device itself. Authentication (not-required): The REST API relies on a constant hard-coded token rather than real authentication, so no valid account or credential is needed to interact with it. Victim interaction (not-required): The attacker sends requests directly to the API endpoint; no action from a user or operator on the target device is required. Attack complexity (info): Exploit complexity is low: the hard-coded token is static and condition-free, making the attack reliable and repeatable without requiring specific timing or environmental setup.

What is the impact of CVE-2026-22312?

Reads device system settings and configuration data exposed through the REST API. Overwrites device configuration, potentially redirecting traffic collection, disabling monitoring, or altering OT network visibility. Executes privileged commands such as forcing a full system reboot, disrupting continuous monitoring of the industrial network. Disrupts availability of the Smart Collector itself, creating blind spots in industrial network oversight.

Back to search

HIGHCVE-2026-22312Published 2026-06-16Modified 2026-06-16CNA ENISA

CVE-2026-22312: Use of Hard-coded Credentials Vulnerability in Radiflow iSAP Smart Collector

The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A hard-coded credentials vulnerability exists in the Radiflow iSAP Smart Collector (version 3.07-1), an industrial network monitoring device. The embedded web server exposes a REST API protected by a constant, unchangeable token, meaning any attacker who can reach the device over the network gains full API access without supplying real credentials. Successful exploitation lets an attacker read system settings, alter the device configuration, and execute commands such as forcing a system reboot. No fix version has been published; HarborGuard tracks this advisory and will surface a patched rebuild as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection of CVE-2026-22312 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that incorporate Radiflow iSAP Smart Collector software at version 3.07-1.

Available

Triage

HarborGuard scores this CVE at CVSS 8.6 HIGH and makes that rating available alongside per-environment compliance policy weighting, so teams with stricter OT or ICS policies can escalate priority accordingly; findings are routed to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, the platform surfaces the finding with its current advisory status so teams can apply compensating controls without waiting for manual re-scans.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the device's web server over the network; the API is exposed remotely via HTTP/HTTPS with no network-layer restriction built into the device itself.
AuthenticationNot required
The REST API relies on a constant hard-coded token rather than real authentication, so no valid account or credential is needed to interact with it.
Victim interactionNot required
The attacker sends requests directly to the API endpoint; no action from a user or operator on the target device is required.
Attack complexityDetail
Exploit complexity is low: the hard-coded token is static and condition-free, making the attack reliable and repeatable without requiring specific timing or environmental setup.

Blast Radius

Reads device system settings and configuration data exposed through the REST API.
Overwrites device configuration, potentially redirecting traffic collection, disabling monitoring, or altering OT network visibility.
Executes privileged commands such as forcing a full system reboot, disrupting continuous monitoring of the industrial network.
Disrupts availability of the Smart Collector itself, creating blind spots in industrial network oversight.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-22312 is active and matches any image carrying Radiflow iSAP Smart Collector 3.07-1 against this advisory. Because no upstream patch exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published; for customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While awaiting a patch, recommended compensating controls include applying strict network-policy rules to isolate the Smart Collector from untrusted network segments, enforcing egress filtering to limit which hosts can initiate connections to the device's web server port, and reviewing whether the REST API endpoint can be gated behind an external authentication proxy or firewall rule at the infrastructure level.

See how HarborGuard automates this

Affected packages

Radiflow / iSAP Smart Collector
3.07-1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References

cvcn.gov.it

Metrics

Get notified