CVE-2025-11914 identifies a path traversal vulnerability in Shenzhen Ruiming Technology's Streamax Crocus software, specifically version 1.3.40. The vulnerability resides in the Download function accessible via the endpoint /DeviceFileReport.do?Action=Download. By manipulating the FilePath parameter, an attacker can traverse the file system directories beyond the intended scope, potentially accessing arbitrary files on the server. This type of vulnerability arises due to insufficient validation or sanitization of user-supplied input that controls file paths. The attack vector is remote and requires no authentication or user interaction, making exploitation feasible over the network by any unauthenticated attacker. The CVSS 4.0 base score is 5.3 (medium), reflecting the moderate impact on confidentiality with no impact on integrity or availability. The vendor was contacted early but has not issued a patch or mitigation guidance, and a public exploit has been released, increasing the risk of exploitation. The vulnerability could allow attackers to read sensitive configuration files, credentials, or other critical data stored on the device, potentially leading to further compromise or information leakage. The affected product is used in surveillance and monitoring contexts, which may involve sensitive or critical infrastructure data.

For European organizations, the primary impact of this vulnerability is unauthorized disclosure of sensitive information due to path traversal exploitation. This can compromise confidentiality by exposing configuration files, credentials, or other sensitive data stored on devices running Streamax Crocus 1.3.40. Organizations relying on this product for surveillance or monitoring may face operational risks if attackers gain insights into system configurations or security controls. Although the vulnerability does not directly affect system integrity or availability, the exposure of sensitive data could facilitate subsequent attacks or espionage. The lack of vendor response and public exploit availability increases the likelihood of exploitation, especially in sectors such as critical infrastructure, law enforcement, or transportation where Streamax products may be deployed. European entities with regulatory obligations around data protection (e.g., GDPR) could face compliance risks if sensitive personal or operational data is disclosed.

Given the absence of an official patch, European organizations should implement several specific mitigations: 1) Deploy network-level access controls such as firewalls or VPNs to restrict access to the vulnerable endpoint /DeviceFileReport.do?Action=Download only to trusted internal networks or administrators. 2) Implement web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in the FilePath parameter, such as sequences containing '../' or encoded variants. 3) Conduct thorough input validation and sanitization on any proxy or gateway devices that handle requests to Streamax Crocus, enforcing strict whitelisting of allowed file paths. 4) Monitor logs and network traffic for unusual access attempts or exploitation indicators targeting the Download function. 5) Isolate affected devices from the internet or untrusted networks until a vendor patch is available. 6) Engage with Shenzhen Ruiming Technology for updates or consider alternative products if remediation is delayed. 7) Perform regular security assessments and penetration tests focusing on this vulnerability vector. 8) Educate security teams about the vulnerability and ensure incident response plans include detection and containment strategies for path traversal attacks.