CVE-2026-4956 is a remote SQL injection vulnerability identified in Shenzhen Ruiming Technology's Streamax Crocus software, specifically version 1.3.44. The flaw exists in the handling of the 'State' parameter within the /DevicePrint.do?Action=ReadTask endpoint, part of the Parameter Handler component. By manipulating this parameter, an attacker can inject malicious SQL queries, potentially allowing unauthorized access to or modification of the backend database. The vulnerability requires no authentication or user interaction, making it exploitable remotely with relative ease. The vendor was contacted early but has not responded or released a patch, increasing the risk exposure. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the attack vector is network-based, with low complexity and no privileges required. The vulnerability impacts confidentiality, integrity, and availability to a limited extent due to partial control over database queries. No known exploits in the wild have been reported yet, but public exploit code is available, increasing the likelihood of future attacks. This vulnerability is particularly concerning for organizations relying on Streamax Crocus for surveillance or device management, as attackers could leverage it to extract sensitive information or disrupt services.

The SQL injection vulnerability in Streamax Crocus can lead to unauthorized disclosure of sensitive data stored in the backend database, including potentially user credentials, device configurations, or surveillance data. Attackers could also modify or delete data, undermining data integrity and potentially causing denial of service or operational disruptions. Since the vulnerability is remotely exploitable without authentication, it poses a significant risk to exposed systems, especially those accessible from untrusted networks. Organizations using this software in critical infrastructure or security monitoring roles could face operational risks and compliance issues if exploited. The lack of vendor response and patch availability prolongs exposure, increasing the window for attackers to develop and deploy exploits. While no widespread exploitation is currently reported, the availability of public exploit code elevates the threat level. The impact is compounded in environments where Streamax Crocus devices are integrated into larger security or surveillance ecosystems, potentially allowing lateral movement or data exfiltration.

Given the absence of an official patch, organizations should implement immediate compensating controls. These include restricting network access to the affected Streamax Crocus devices by isolating them within secure network segments and applying strict firewall rules to limit inbound traffic to trusted sources only. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the /DevicePrint.do?Action=ReadTask endpoint, particularly filtering suspicious 'State' parameter inputs. Conduct thorough logging and monitoring of device access and database queries to detect anomalous activity indicative of exploitation attempts. If possible, disable or restrict the vulnerable endpoint until a vendor patch is available. Regularly audit and update credentials and access controls associated with these devices to minimize potential damage. Engage with Shenzhen Ruiming Technology for updates and consider alternative solutions or vendor products with active security support if the vendor remains unresponsive. Finally, educate relevant personnel on the risks and signs of exploitation to enhance incident response readiness.