Login Sign Up

CVE-2025-11911

6.3 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Shenzhen Ruiming Technology's Streamax Crocus system allows attackers to manipulate database queries through the sortField parameter. Attackers can potentially read, modify, or delete database contents, and in some cases execute arbitrary commands. Organizations using Streamax Crocus 1.3.40 are affected.

💻 Affected Systems

Products:
  • Shenzhen Ruiming Technology Streamax Crocus
Versions: 1.3.40
Operating Systems: Unknown - likely embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /DeviceFault.do?Action=Query endpoint with sortField parameter manipulation

📦 What is this software?

Streamax Crocus by Streamax

View all CVEs affecting Streamax Crocus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, system takeover, or ransomware deployment

🟠

Likely Case

Data exfiltration, privilege escalation, and system manipulation

🟢

If Mitigated

Limited impact with proper input validation and database permissions

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication
🏢 Internal Only: MEDIUM - Internal attackers could exploit but external threat is higher

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available, remote exploitation possible, no authentication required

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer versions if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the sortField parameter to allow only expected values

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns targeting /DeviceFault.do

🧯 If You Can't Patch

  • Isolate the system behind a firewall with strict access controls
  • Implement network segmentation to limit database access from the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Test the /DeviceFault.do?Action=Query endpoint with SQL injection payloads in the sortField parameter

Check Version:

Check system version through admin interface or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web server
  • SQL syntax errors in application logs
  • Multiple failed parameter validation attempts

Network Indicators:

  • HTTP requests to /DeviceFault.do with suspicious sortField values
  • SQL keywords in URL parameters

SIEM Query:

source="web_logs" AND uri="/DeviceFault.do" AND (param="sortField" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--")

📊 Metadata

CVE ID: CVE-2025-11911
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (11th percentile)
Published: October 17, 2025
Last Updated: October 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11911, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)