Streamax Crocus
CVE-2025-11913
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal in Streamax Crocus 1.3.40 Download function allows authenticated remote attackers to read arbitrary files via manipulation of the Path parameter in /Service.do?Action=Download requests. The vulnerability has a low CVSS score (2.1) due to requirement for authenticated access and confidentiality-only impact, but publicly available exploit code exists and the vendor has not responded to disclosure efforts.
Technical ContextAI
The vulnerability resides in the Download service endpoint (/Service.do?Action=Download) of Streamax Crocus, a surveillance and security management system. The Path parameter fails to properly validate or sanitize user input before using it in file system operations, enabling directory traversal attacks via sequences such as '../' or absolute paths. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) weakness. The affected product is identified by CPE cpe:2.3:a:streamax:streamax_crocus:1.3.40:*:*:*:*:*:*:*, indicating version 1.3.40 of Streamax Crocus from Shenzhen Ruiming Technology. The vulnerability requires authenticated access (PR:L per CVSS 4.0 vector), meaning the attacker must have valid credentials or session to exploit this endpoint.
RemediationAI
No vendor-released patch is currently available for this vulnerability. Organizations running Streamax Crocus 1.3.40 should implement the following compensating controls: (1) Restrict network access to the /Service.do endpoint to trusted internal networks only, using firewall rules or reverse proxy access controls - this significantly reduces risk by limiting who can reach the vulnerable interface; (2) Enforce strong authentication and monitor login attempts for brute-force activity, as the vulnerability requires valid credentials; (3) Implement input validation at the application or WAF level to block path traversal sequences (../, ..\, and absolute paths) in the Path parameter - a WAF rule blocking requests containing '../' or leading '/' in this parameter can prevent exploitation; (4) Monitor file access logs for unusual download patterns or access to sensitive directories outside expected paths. Contact Shenzhen Ruiming Technology directly to request a patched version or timeline for remediation. If the organization cannot implement these controls, consider isolating or decommissioning Streamax Crocus 1.3.40 until a patch becomes available.
Share
External POC / Exploit Code
Leaving vuln.today