CVE-2025-11908
📋 TL;DR
This vulnerability allows remote attackers to upload arbitrary files to Shenzhen Ruiming Technology Streamax Crocus systems via the /FileDir.do?Action=Upload endpoint. Attackers can exploit this to upload malicious files, potentially leading to system compromise. Organizations using Streamax Crocus version 1.3.40 are affected.
💻 Affected Systems
- Shenzhen Ruiming Technology Streamax Crocus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution, data exfiltration, or ransomware deployment via uploaded malicious files.
Likely Case
Attackers upload web shells or malware to gain persistent access, modify system files, or disrupt operations.
If Mitigated
Limited impact with proper file upload validation, but still poses risk if workarounds are bypassed.
🎯 Exploit Status
Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None - Vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, or implement workarounds.
🔧 Temporary Workarounds
Block Unrestricted File Upload Endpoint
allRestrict access to the vulnerable /FileDir.do endpoint using network controls or web application firewall rules.
# Example WAF rule to block /FileDir.do?Action=Upload
# Example firewall rule: iptables -A INPUT -p tcp --dport 80 -m string --string "/FileDir.do" --algo bm -j DROP
Implement File Upload Validation
allAdd server-side validation to restrict file types, extensions, and content for uploads.
# Implement server-side checks for file type, extension, and content validation
# Example: Validate file extension against whitelist, check MIME type, scan for malicious content
🧯 If You Can't Patch
- Isolate affected systems in a segmented network zone with strict inbound/outbound controls.
- Implement monitoring and alerting for file upload activities to the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Test if you can upload arbitrary files to http(s)://[target]/FileDir.do?Action=Upload without proper validation.Check Version:
Check system documentation or web interface for version information. The vulnerability affects version 1.3.40 specifically.Verify Fix Applied:
Verify that file uploads to the endpoint are properly restricted or blocked, and only allowed file types can be uploaded.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /FileDir.do endpoint
- Uploads of executable files, scripts, or unusual file types
- Multiple failed upload attempts followed by successful upload
Network Indicators:
- HTTP POST requests to /FileDir.do?Action=Upload with file attachments
- Traffic patterns showing file uploads to this specific endpoint
SIEM Query:
Example: http.url:"/FileDir.do?Action=Upload" AND http.method:POST AND (file.extension:php OR file.extension:jsp OR file.extension:exe)🔗 References
- https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8Crocus%E7%B3%BB%E7%BB%9F.md
- https://vuldb.com/?ctiid.328918
- https://vuldb.com/?id.328918
- https://vuldb.com/?submit.671391
- https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8Crocus%E7%B3%BB%E7%BB%9F.md
