CVE-2025-11910 is a SQL injection vulnerability identified in version 1.3.40 of Shenzhen Ruiming Technology's Streamax Crocus software. The vulnerability resides in the Query function accessed via the /MemoryState.do?Action=Query endpoint, specifically through the orderField parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject arbitrary SQL code remotely without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact vector includes low confidentiality, integrity, and availability impacts, suggesting partial but not full compromise potential. The vendor was notified early but has not responded or released patches, and no known exploits are currently observed in the wild. The vulnerability could be exploited to extract sensitive data, modify database contents, or disrupt service availability by manipulating backend database queries. This type of injection flaw is critical in web applications interfacing with databases, especially in surveillance or monitoring systems like Streamax Crocus, which may handle sensitive video or metadata. The lack of vendor response increases the risk profile, requiring organizations to implement immediate mitigations and monitoring.

For European organizations, the SQL injection vulnerability in Streamax Crocus poses risks to data confidentiality, integrity, and availability. Exploitation could lead to unauthorized data disclosure, including sensitive surveillance data or operational metadata, potentially violating GDPR and other data protection regulations. Integrity of stored data could be compromised, affecting the reliability of surveillance records or system logs. Availability impacts could disrupt surveillance operations, critical in sectors such as transportation, public safety, or utilities. Given the remote exploitability without authentication, attackers could leverage this vulnerability to gain footholds in networks, escalate privileges, or move laterally. The absence of vendor patches and public exploit code increases urgency for defensive measures. Organizations relying on Streamax Crocus for security monitoring or operational control should assess exposure and implement compensating controls to prevent data breaches or operational disruptions.

1. Immediately restrict network access to the /MemoryState.do?Action=Query endpoint using firewall rules or network segmentation to limit exposure to trusted hosts only. 2. Deploy and configure Web Application Firewalls (WAFs) with SQL injection detection and prevention capabilities to block malicious payloads targeting the orderField parameter. 3. Conduct thorough input validation and sanitization on all user-supplied parameters, especially orderField, if custom modifications or patches are possible. 4. Monitor application logs and network traffic for unusual query patterns or error messages indicative of SQL injection attempts. 5. If possible, isolate the Streamax Crocus system from critical networks until a vendor patch or official fix is available. 6. Engage with Shenzhen Ruiming Technology for updates and request a security patch or mitigation guidance. 7. Review and enhance database user privileges to follow the principle of least privilege, limiting the damage potential of injected queries. 8. Prepare incident response plans specific to database compromise scenarios involving Streamax Crocus. 9. Consider alternative or additional surveillance solutions if patching is delayed or vendor support remains absent.