Streamax Crocus
CVE-2025-11908
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Streamax Crocus 1.3.40 allows authenticated remote attackers to bypass file upload restrictions via manipulation of the File parameter in the /FileDir.do?Action=Upload endpoint, enabling unrestricted file upload with limited direct impact. Publicly available exploit code exists and the vendor has not responded to disclosure attempts. Despite a low CVSS score of 2.1, the combination of public exploit availability and vendor non-response elevates operational risk, particularly if the upload mechanism can be chained with other vulnerabilities to achieve code execution.
Technical ContextAI
The vulnerability exists in the file upload handler of the Streamax Crocus web application, specifically in the uploadFile function accessed via the /FileDir.do?Action=Upload endpoint. The root cause is classified as CWE-284 (Improper Access Control), indicating insufficient validation or enforcement of file upload restrictions. The application fails to properly validate or restrict the File parameter, allowing authenticated users to manipulate upload requests beyond intended boundaries. This is a classic file upload validation flaw where type, size, or destination directory restrictions are either missing or bypassable through parameter manipulation. The CPE indicates the specific affected version is Streamax Crocus 1.3.40.
RemediationAI
No vendor-released patch has been identified at time of analysis, as the vendor did not respond to disclosure attempts. Immediate mitigations include restricting network access to the /FileDir.do endpoint to authorized users only via firewall or reverse proxy rules, disabling the file upload functionality if not operationally required, implementing strict input validation on the File parameter to enforce whitelist-based file type checking (extension and MIME type), and storing uploaded files outside the web root or in a non-executable directory with appropriate file permissions (mode 644 or read-only). Additionally, disable script execution in the upload directory via web server configuration (.htaccess, nginx location blocks, or IIS request filtering). Monitor file system activity for unexpected file creation in upload directories. Contact Streamax for patch availability; if unresponsive, evaluate alternative products or isolated deployment models to contain risk.
Share
External POC / Exploit Code
Leaving vuln.today