Streamax Crocus
CVE-2025-11911
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This impacts the function Query of the file /DeviceFault.do?Action=Query. The manipulation of the argument sortField results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Streamax Crocus 1.3.40 allows authenticated remote attackers to execute arbitrary SQL queries via the sortField parameter in the /DeviceFault.do?Action=Query endpoint. While the CVSS score is low (2.1) due to limited scope and confidentiality impact, publicly available exploit code exists and the vulnerability requires only low-privilege authentication. The vendor has not responded to early disclosure attempts, leaving no patch path available.
Technical ContextAI
Streamax Crocus is a device management or monitoring platform that exposes a web interface at /DeviceFault.do. The vulnerability stems from improper input validation on the sortField parameter, which is used in SQL query construction without sanitization or parameterized queries (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). The attack surface is the query endpoint accessible to authenticated users, indicating the application likely uses user-supplied input directly in ORDER BY or similar SQL clauses without escaping or prepared statements.
RemediationAI
No vendor-released patch is available at this time. Immediate mitigation requires network-level controls: restrict access to the /DeviceFault.do endpoint to trusted internal networks only, implement Web Application Firewall (WAF) rules to block SQL injection patterns in the sortField parameter (e.g., detect and reject requests containing SQL keywords like UNION, SELECT, ORDER, or special characters such as single quotes and semicolons in that parameter), and enforce strong authentication with multi-factor authentication for all administrative accounts. At the application level, if feasible, disable or remove the vulnerable Query function entirely if it is not critical to operations, or implement input validation that strictly whitelists allowed sortField values (e.g., only permit column names from a predefined safe list). Monitor logs for suspicious SQL syntax in /DeviceFault.do requests and unusual database query patterns. These compensating controls trade operational convenience for security; strict WAF rules may generate false positives requiring tuning. Contact Streamax directly to request a patched version or migration path to an alternative product, as the vendor's lack of response to early disclosure suggests potentially poor security maintenance practices.
Share
External POC / Exploit Code
Leaving vuln.today