HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-22313Published Modified CNA ENISA

CVE-2026-22313: OS Commands Executed with Administrative Permissions in Radiflow iSAP Smart Collector

The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection in Radiflow iSAP Smart Collector (version 3.07-1) allows an authenticated attacker to send crafted requests to the device's REST API over the network. The CVSS vector confirms the attack is network-reachable and requires a high-privilege (admin-level) token, but no victim interaction is needed. Successful exploitation gives the attacker full OS-level command execution with administrative permissions, enabling complete confidentiality loss, data tampering, and service disruption. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream releases one.

HarborGuard Coverage

Detection

Detection of CVE-2026-22313 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package Radiflow iSAP Smart Collector 3.07-1. Any image containing the affected version will surface as a finding in the customer's registry and CI/CD pipeline scans.

Available
Triage

Triage is available with the CVSS v3.1 base score of 9.1 (Critical) applied automatically to each finding, weighted further by per-environment compliance policy settings. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined severity thresholds and asset ownership rules.

Available
Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Radiflow publishes a remediated release. In the meantime, customers with auto-remediation enabled will receive an alert on each ingest cycle confirming the advisory status, keeping affected workloads continuously visible until a patch becomes actionable.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device's REST API over the network; the management network interface exposes the vulnerable endpoint remotely.

  • AuthenticationRequired

    A high-privilege API token is required; the attacker must possess or steal an administrative credential to authenticate to the REST API.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends crafted API requests directly without any user clicking or approving anything.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental prerequisites beyond holding a valid admin token.

Blast Radius

  • The attacker executes arbitrary OS commands as the administrative user on the underlying operating system of the iSAP Smart Collector device.
  • Full read access to all files and data on the device, including stored credentials, configuration secrets, and collected network telemetry.
  • The attacker can write or delete files, modify device configuration, and alter collected OT/ICS data in place.
  • The device can be crashed, rebooted, or rendered permanently unavailable, disrupting visibility into the operational technology network it monitors.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of CVE-2026-22313 is active for any customer image containing Radiflow iSAP Smart Collector 3.07-1, with findings surfaced at Critical (9.1) severity. Because no upstream fix exists today, HarborGuard re-evaluates the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment Radiflow publishes a remediated version. While awaiting a patch, HarborGuard recommends applying compensating controls where possible: restrict network access to the REST API management interface via network policy to only trusted management hosts, enforce egress filtering on the collector host to limit lateral movement if the device is compromised, and audit which accounts hold valid admin API tokens to reduce the credential-theft surface.

See how HarborGuard automates this
Affected packages
  • Radiflow / iSAP Smart Collector
    3.07-1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References