CVE-2025-3497

High

Published: 09 July 2025

Published

09 July 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

EPSS Score 0.0044 63.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3497 is a high-severity Use of Unmaintained Third Party Components (CWE-1104) vulnerability in Gov (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Directly prohibits or requires mitigation for unsupported system components like the EOL CentOS 7 underlying the Radiflow iSAP Smart Collector.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of flaws, requiring upgrade or replacement of the EOL OS to address unmitigated vulnerabilities.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables ongoing vulnerability scanning to identify exploitable flaws in the unsupported CentOS 7 components before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

EOL/unmaintained OS directly enables remote exploitation of known public vulnerabilities in the underlying CentOS 7 components.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product.

Deeper analysisAI

CVE-2025-3497 stems from the use of an obsolete Linux distribution, CentOS 7, underlying the Radiflow iSAP Smart Collector (VSAP 1.20), which reached end of life on June 30, 2024. This end-of-life status, classified under CWE-1104 (Use of Unmaintained Third Party Components), leaves the product vulnerable to any unmitigated vulnerabilities present in the unsupported OS.

The vulnerability has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H), indicating exploitation is possible over the network with low complexity and no user interaction, but requires high privileges. A successful attack can result in high integrity and availability impacts with a changed scope, though confidentiality remains unaffected.

Mitigation guidance is available in the advisory published at https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3497.

Details

CWE(s): CWE-1104

Affected Products

Gov

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-10220Shared CWE-1104

CVE-2025-12104Shared CWE-1104

CVE-2025-34192Shared CWE-1104

CVE-2026-41468Shared CWE-1104

CVE-2025-34193Shared CWE-1104

References

https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3497
a6d3dc9e-0591-4a13-bce7-0f5b31ff6158