Streamax Crocus
CVE-2025-11909
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The impacted element is the function queryLast of the file /RepairRecord.do?Action=QueryLast. Executing manipulation of the argument orderField can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Streamax Crocus 1.3.40 allows authenticated remote attackers to manipulate the orderField parameter in the /RepairRecord.do?Action=QueryLast endpoint, enabling database query manipulation with limited confidentiality and integrity impact. Publicly available exploit code exists and the vendor has not responded to early disclosure notification. Despite a low CVSS score of 2.1, the combination of public exploit availability and vendor non-responsiveness increases real-world risk, though exploitation requires valid user credentials and produces only low-severity data exposure.
Technical ContextAI
The vulnerability exists in the queryLast function of Streamax Crocus, a facility management or industrial control system. The endpoint /RepairRecord.do?Action=QueryLast accepts user-supplied input in the orderField parameter without proper sanitization or parameterized query mechanisms. This classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an Output Command - SQL Command) allows attackers to inject arbitrary SQL syntax into database queries. The attack operates over the network (AV:N) with low complexity (AC:L) and does not require special timing or race conditions (AT:N). The vulnerability is classified as an information disclosure and data manipulation issue rather than critical system compromise, as reflected in the limited scope impact (VC:L, VI:L, VA:L with no scope change).
RemediationAI
No vendor-released patch identified at time of analysis. Organizations running Streamax Crocus 1.3.40 must implement compensating controls immediately. Primary mitigations: (1) Apply strict input validation and filtering to all HTTP parameters, specifically blocking SQL metacharacters (single quotes, double dashes, semicolons, keywords like UNION, SELECT) in the orderField parameter before it reaches the database layer; (2) Enforce parameterized queries or prepared statements in the queryLast function to separate SQL logic from user data; (3) Restrict access to the /RepairRecord.do endpoint via network segmentation or IP whitelisting, limiting exposure to trusted administrative networks; (4) Implement database-level access controls to ensure the application account has minimal necessary privileges (read-only access to RepairRecord table if possible, no administrative functions). Secondary mitigations: deploy a Web Application Firewall (WAF) with SQL injection detection rules on the /RepairRecord.do endpoint; enable comprehensive SQL query logging and alerting to detect injection attempts; conduct an audit of existing database access logs to identify any prior exploitation. Contact Streamax support to request guidance on patched versions or extended support options given the vendor's apparent non-responsiveness.
Share
External POC / Exploit Code
Leaving vuln.today