Streamax Crocus
CVE-2025-11912
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected is the function Query of the file /DeviceState.do?Action=Query. This manipulation of the argument orderField causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Streamax Crocus 1.3.40 allows authenticated remote attackers to manipulate the orderField parameter in the /DeviceState.do?Action=Query endpoint, potentially extracting or modifying database contents. The vulnerability requires valid credentials but carries minimal confidentiality and integrity impact per CVSS scoring. Public exploit code is available, though EPSS exploitation probability remains low at 0.03%, suggesting either limited technical feasibility, narrow applicability, or defensive measures in typical deployments.
Technical ContextAI
Streamax Crocus is a device management platform vulnerable to SQL injection through improper input validation in the Query action handler. The vulnerability stems from CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), where user-controlled input from the orderField parameter is incorporated directly into SQL queries without sanitization. The /DeviceState.do endpoint processes HTTP requests with Action=Query parameter, and the orderField argument is passed to database query construction without parameterized statements or escaping. This is a classic second-order SQL injection risk where attacker-supplied database sort criteria bypass filtering mechanisms designed for other input vectors.
RemediationAI
No vendor-released patch identified at time of analysis - the vendor did not respond to early disclosure contact. Immediate actions: restrict network access to the /DeviceState.do endpoint via firewall rules or Web Application Firewall (WAF), allowing traffic only from trusted internal networks; implement strong authentication mechanisms (strong passwords, multi-factor authentication) to limit credential compromise risk since the vulnerability requires PR:L authentication; enable SQL query logging and monitor for suspicious orderField parameters containing SQL syntax (UNION, SELECT, OR, etc.); implement input validation and parameterized query fixes at the application level if source code is accessible. For defense-in-depth, deploy a WAF with SQL injection detection rules and consider upgrading to a newer Crocus version if available, though vendor responsiveness is unknown. Organizations unable to patch should prioritize removing internet exposure of the Crocus administrative interface.
Share
External POC / Exploit Code
Leaving vuln.today