CVE-2025-11913
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-10-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-11913
EUVD
EUVD-2025-34929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
streamax streamax_crocus 1.3.40
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Shenzhen Ruiming Technology Streamax Crocus 1.3.40, specifically in the Download function of the /Service.do?Action=Download file. It allows an attacker to manipulate the 'Path' argument to perform a path traversal attack, which means the attacker can access files and directories outside the intended scope. The attack can be launched remotely, and the exploit has been publicly disclosed. [1]


How can this vulnerability impact me? :

The vulnerability can allow an attacker with some privileges to remotely access unauthorized files on the affected system by exploiting the path traversal flaw. This could lead to exposure of sensitive information or system files, potentially compromising confidentiality. However, the impact is limited to confidentiality as integrity and availability are not affected. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability can be performed by monitoring HTTP requests to the endpoint /Service.do?Action=Download with suspicious Path parameter values that indicate path traversal attempts (e.g., containing ../ sequences). Network intrusion detection systems (NIDS) can be configured to alert on such patterns. Additionally, manual inspection or automated scanning tools can be used to send crafted requests to test for path traversal. Specific commands are not provided in the resources. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable endpoint /Service.do?Action=Download, implementing input validation and sanitization on the Path parameter to prevent path traversal, and applying any available patches or updates from the vendor. Since the vendor has not responded, consider deploying web application firewalls (WAF) rules to block malicious requests targeting this vulnerability. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart