PT-2025-42639 · Shenzhen Ruiming Technology · Streamax Crocus

Nu11

Published

2025-10-17

Updated

2025-10-17

CVE-2025-11908

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Shenzhen Ruiming Technology Streamax Crocus version 1.3.40

Description A security flaw exists in the Streamax Crocus software. The issue involves unrestricted file upload through manipulation of the File argument in the uploadFile function, accessible via the /FileDir.do?Action=Upload endpoint. This allows for remote exploitation. The exploit has been publicly released. The vendor was contacted but did not respond.

Recommendations Apply a fix for Streamax Crocus version 1.3.40 to address the unrestricted file upload issue. As a temporary workaround, restrict access to the /FileDir.do?Action=Upload endpoint. Avoid uploading files to the affected endpoint until a fix is available.

Exploit

Fix

Improper Access Control

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-434

Related Identifiers

CVE-2025-11908

Affected Products

Streamax Crocus

PT-2025-42639 · Shenzhen Ruiming Technology · Streamax Crocus

CVE-2025-11908

Weakness Enumeration

Related Identifiers

Affected Products

References · 9