CVE-2025-11908 is a vulnerability identified in Shenzhen Ruiming Technology's Streamax Crocus software version 1.3.40. The flaw exists in the uploadFile function accessible via the endpoint /FileDir.do?Action=Upload, where the argument 'File' is insufficiently validated, allowing an attacker to perform unrestricted file uploads. This means an attacker can remotely upload arbitrary files, including potentially malicious scripts or executables, without requiring authentication or user interaction. The vulnerability is exploitable over the network with low attack complexity and no privileges needed, as indicated by the CVSS 4.0 vector: AV:N/AC:L/PR:L/UI:N. The impact on confidentiality, integrity, and availability is low individually but collectively significant, as unauthorized file uploads can lead to remote code execution, data leakage, or service disruption. The vendor was contacted but has not responded or provided patches, and no official remediation is available. Although no active exploitation in the wild has been reported, a public exploit has been released, increasing the likelihood of attacks. The affected product is commonly used in video surveillance and fleet management solutions, which are critical in various industries. The lack of secure upload controls and vendor response heightens the risk profile of this vulnerability.

For European organizations, the unrestricted upload vulnerability poses risks of unauthorized system access, data breaches, and potential disruption of surveillance or fleet management operations. Compromise of Streamax Crocus devices could lead to attackers deploying malware, establishing persistence, or exfiltrating sensitive video or operational data. This can affect privacy compliance under GDPR if personal data is exposed. Critical infrastructure relying on these systems may experience operational interruptions or safety risks. The medium severity reflects moderate direct impact but significant potential for escalation if combined with other vulnerabilities or misconfigurations. The public availability of exploits increases the threat landscape, particularly for organizations that have not implemented compensating controls or network segmentation. The absence of vendor patches means organizations must rely on defensive measures to mitigate risk.

1. Immediately restrict network access to the affected upload endpoint (/FileDir.do?Action=Upload) using firewalls or web application firewalls (WAF) to allow only trusted IP addresses or internal networks. 2. Monitor logs for unusual file upload activity or unexpected file types and sizes. 3. Implement strict file type validation and scanning at the network perimeter if possible, blocking executable or script files. 4. Isolate Streamax Crocus devices on segmented networks to limit lateral movement in case of compromise. 5. Disable or restrict the upload functionality if feasible until a vendor patch is available. 6. Conduct regular vulnerability scans and penetration tests focusing on this endpoint. 7. Engage with Shenzhen Ruiming Technology for updates and consider alternative solutions if no remediation is forthcoming. 8. Educate security teams about this vulnerability and ensure incident response plans include scenarios involving unauthorized uploads. 9. Apply network intrusion detection systems (NIDS) signatures tuned to detect exploit attempts targeting this vulnerability. 10. Maintain backups of device configurations and data to enable recovery if compromise occurs.