CVE-2025-11909 is a SQL injection vulnerability identified in Shenzhen Ruiming Technology's Streamax Crocus software, version 1.3.40. The vulnerability resides in the queryLast function accessed via the /RepairRecord.do?Action=QueryLast endpoint. Specifically, the orderField parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection can be performed remotely without user interaction and requires only limited privileges, making exploitation feasible over the network. The impact of successful exploitation includes unauthorized access to sensitive database information, potential modification or deletion of records, and disruption of application functionality. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The vendor was notified early but has not issued any patches or advisories, and a public exploit is available, increasing the risk of exploitation. No known active exploitation has been reported yet. The lack of vendor response and patch availability means affected organizations must rely on compensating controls and proactive monitoring. The vulnerability affects a specific version (1.3.40) of Streamax Crocus, a product likely used in repair record management or related operational contexts.

For European organizations utilizing Streamax Crocus 1.3.40, this vulnerability poses significant risks including unauthorized disclosure of sensitive repair records and operational data, data integrity compromise through unauthorized modification or deletion, and potential denial of service if database operations are disrupted. Given the remote exploitability without user interaction and low complexity, attackers could automate attacks to extract confidential information or manipulate data, impacting business continuity and compliance with data protection regulations such as GDPR. Sectors relying on this software for operational management, including manufacturing, logistics, and maintenance services, could experience operational disruptions. The absence of vendor patches increases exposure duration, and public exploit availability raises the likelihood of targeted attacks. Data breaches resulting from this vulnerability could lead to reputational damage and regulatory penalties within the European Union and other jurisdictions with strict data privacy laws.

Immediate mitigation should focus on implementing strict input validation and sanitization for the orderField parameter at the application or web server level, employing web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the /RepairRecord.do?Action=QueryLast endpoint. Network segmentation and restricting external access to the affected application can reduce exposure. Organizations should monitor database logs and application logs for unusual query patterns indicative of injection attempts. Employing database-level protections such as least privilege for application database accounts can limit the impact of successful injections. Since no vendor patch is available, consider deploying virtual patching via WAF or reverse proxy solutions. Additionally, organizations should prepare incident response plans specific to SQL injection attacks and conduct regular security assessments of the affected systems. Where feasible, upgrade or replace the vulnerable software version once a patch or secure alternative is available.