Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Streamax Crocus 1.3.44 parameter handler allows unauthenticated remote attackers to manipulate the State argument in /DevicePrint.do?Action=ReadTask endpoint, enabling database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notification and no patch is available.
Technical ContextAI
The vulnerability exists in the Parameter Handler component of Streamax Crocus 1.3.44, a video surveillance and device management platform by Shenzhen Ruiming Technology. The root cause is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component-'Injection'), specifically SQL injection. The affected endpoint /DevicePrint.do?Action=ReadTask fails to properly sanitize or parameterize the State argument before passing it to SQL queries, allowing attackers to craft malicious SQL statements. This is a classic input validation failure where user-supplied data reaches the database layer without proper escaping or prepared statement use.
RemediationAI
No vendor-released patch is identified at time of analysis. Immediate actions: (1) Upgrade Streamax Crocus to a version newer than 1.3.44 if the vendor releases one; monitor vendor communication channels and VulDB for patch announcements. (2) As interim mitigation, restrict network access to the /DevicePrint.do endpoint via firewall or reverse proxy to trusted administrative networks only. (3) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the State parameter (e.g., detection of single quotes, UNION keywords, or comment sequences). (4) Enable database activity monitoring and alerting on unusual SQL patterns from the Crocus application account. (5) Conduct database access reviews to ensure Crocus runs with minimum required privileges (no administrative database roles). References: VulDB entry at https://vuldb.com/?id.353833 and https://vuldb.com/?ctiid.353833.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16656