Is there a public PoC exploit available for CVE-2025-11914?

Yes, a public proof-of-concept exploit is available for CVE-2025-11914. Prioritise patching immediately. EPSS: 0.1%.

Streamax Crocus CVE-2025-11914

Q: What is the CVSS score of CVE-2025-11914?

CVE-2025-11914 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Path Traversal (CWE-22)

2025-10-17 cna@vuldb.com

Path Traversal Streamax Crocus

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:18 vuln.today

DescriptionCVE.org

A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this issue is the function Download of the file /DeviceFileReport.do?Action=Download. Performing manipulation of the argument FilePath results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in Streamax Crocus 1.3.40 allows authenticated remote attackers to read arbitrary files via manipulation of the FilePath parameter in the /DeviceFileReport.do?Action=Download endpoint. The vulnerability has publicly available exploit code and affects the file download functionality with low confidentiality impact. Despite a CVSS score of 2.1, the vendor has not responded to disclosure and the exploit is publicly weaponized.

Technical ContextAI

The vulnerability is a CWE-22 path traversal flaw in the DeviceFileReport.do web handler. The Download action fails to properly validate or sanitize the FilePath parameter before using it in file system operations, allowing directory traversal sequences (such as ../ or absolute paths) to escape intended file boundaries. This is a classic input validation failure in web application file serving logic. The affected product is Streamax Crocus version 1.3.40, identified by CPE cpe:2.3:a:streamax:streamax_crocus:1.3.40:*:*:*:*:*:*:*. The vulnerability requires authentication (PR:L in CVSS vector), suggesting it may be exploitable by low-privileged application users rather than completely unauthenticated attackers.

RemediationAI

No vendor-released patch has been identified at time of analysis, and the vendor has not responded to disclosure attempts. Immediate mitigations include: (1) Restrict network access to the /DeviceFileReport.do endpoint using firewall rules or reverse proxy authentication to limit exposure to trusted administrative networks only; (2) Implement input validation on the FilePath parameter to reject path traversal sequences such as ../, .., or absolute paths, allowing only whitelisted filename patterns; (3) Configure the application to serve files from a restricted directory with file system permissions that prevent access outside the intended download folder; (4) Monitor file access logs for suspicious path traversal attempts (patterns containing ../ or system directory paths). If the product is no longer actively maintained, consider evaluating alternative file management solutions or implementing a Web Application Firewall (WAF) rule set to detect and block path traversal exploitation attempts on this endpoint.

CVE-2025-11914 vulnerability details – vuln.today

Back