CVE-2026-4910 identifies a SQL injection vulnerability in Shenzhen Ruiming Technology's Streamax Crocus product, specifically in the /RemoteFormat.do endpoint of the Endpoint component. The vulnerability arises from improper sanitization of the 'State' parameter, which is directly incorporated into SQL queries without adequate validation or parameterization. This allows remote attackers to inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires no authentication or user interaction, making it highly accessible for exploitation over the network. The affected versions span from 1.3.0 through 1.3.44, indicating a long-standing issue across many releases. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and moderate impact on confidentiality, integrity, and availability. Despite public disclosure of the exploit, no known active exploitation has been reported. The vendor has not issued patches or responded to vulnerability reports, leaving users exposed. The vulnerability's exploitation could enable attackers to extract sensitive information, corrupt data, or disrupt service availability, posing significant risks to organizations relying on this product for surveillance or endpoint management.

The SQL injection vulnerability in Streamax Crocus can have severe consequences for affected organizations. Successful exploitation can lead to unauthorized disclosure of sensitive data stored in backend databases, including potentially personal or operational information. Attackers may alter or delete critical data, undermining data integrity and trustworthiness. Additionally, attackers could execute commands that degrade or disrupt service availability, causing operational downtime. Given the unauthenticated and remote nature of the exploit, attackers can easily target exposed systems without needing credentials or user interaction, increasing the attack surface. Organizations in sectors such as security surveillance, law enforcement, transportation, or critical infrastructure that deploy Streamax Crocus may face increased risks of espionage, data theft, or sabotage. The lack of vendor response and patches exacerbates the threat, forcing organizations to rely on compensating controls. The widespread affected versions suggest many deployments remain vulnerable, potentially impacting global operations and data privacy compliance.

1. Immediately restrict network access to the /RemoteFormat.do endpoint by implementing firewall rules or network segmentation to limit exposure to trusted IP addresses only. 2. Deploy a web application firewall (WAF) with robust SQL injection detection and prevention capabilities, tuned specifically to detect anomalous patterns in the 'State' parameter. 3. Conduct thorough input validation and sanitization on all user-supplied parameters, especially 'State', using parameterized queries or prepared statements if custom development or patching is possible. 4. Monitor database logs and application logs for unusual or suspicious queries indicative of SQL injection attempts. 5. If feasible, isolate or decommission vulnerable versions of Streamax Crocus until a vendor patch or update is available. 6. Engage with Shenzhen Ruiming Technology for updates or patches and subscribe to vulnerability advisories for timely information. 7. Implement intrusion detection systems (IDS) to alert on exploitation attempts targeting this vulnerability. 8. Educate security teams and administrators about this vulnerability and ensure incident response plans include scenarios for SQL injection attacks. 9. Consider deploying database activity monitoring tools to detect and block unauthorized queries in real time. 10. Regularly back up critical data and verify backup integrity to enable recovery in case of data corruption or deletion.