CVE-2025-11912 is a SQL injection vulnerability affecting Shenzhen Ruiming Technology's Streamax Crocus software, specifically version 1.3.40. The vulnerability resides in the Query function accessed via the /DeviceState.do?Action=Query endpoint. The issue arises from improper sanitization of the orderField parameter, which is used directly in SQL queries without adequate validation or parameterization. This allows an attacker to inject malicious SQL code remotely, potentially extracting sensitive information, modifying database contents, or disrupting service availability. The vulnerability requires no authentication or user interaction, increasing its risk profile. The vendor was informed early but has not provided a patch or mitigation guidance, and a proof-of-concept exploit has been published publicly. The CVSS 4.0 score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. The lack of vendor response and public exploit availability heighten the urgency for affected organizations to implement compensating controls. Streamax Crocus is typically used in video surveillance and security management, making the vulnerability particularly concerning for organizations relying on these systems for operational security.

For European organizations, this vulnerability poses risks of unauthorized access to surveillance data, manipulation of device states, and potential disruption of security monitoring operations. Confidentiality could be compromised if attackers extract sensitive video or device information. Integrity risks include unauthorized modification of device states or logs, potentially masking malicious activity. Availability could be affected if attackers exploit the vulnerability to cause denial of service or system instability. Organizations in critical infrastructure, public safety, transportation, and private security sectors using Streamax Crocus are particularly vulnerable. The absence of a vendor patch increases exposure, and the public exploit availability raises the likelihood of attacks. Data protection regulations such as GDPR may impose additional compliance risks if personal data is exposed or compromised. The medium severity score suggests moderate but non-trivial impact, emphasizing the need for timely mitigation.

Until an official patch is released, European organizations should implement strict network segmentation and firewall rules to restrict access to the /DeviceState.do endpoint, allowing only trusted management hosts. Deploy web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the orderField parameter. Conduct thorough input validation and sanitization on any proxy or intermediary systems if applicable. Monitor logs for unusual query patterns or repeated access attempts to the vulnerable endpoint. Consider disabling or limiting the use of the Query function if operationally feasible. Engage with Shenzhen Ruiming Technology for updates and request a security patch. Regularly update incident response plans to include detection and containment strategies for SQL injection attacks. Additionally, perform security assessments on other components of the Streamax Crocus system to identify potential related vulnerabilities.