CVE-2025-11914 Overview
CVE-2025-11914 is a path traversal vulnerability [CWE-22] in Shenzhen Ruiming Technology Streamax Crocus version 1.3.40. The flaw resides in the Download function reachable through the /DeviceFileReport.do?Action=Download endpoint. An authenticated remote attacker can manipulate the FilePath parameter to traverse the directory structure and access files outside the intended scope.
Critical Impact
A remote attacker with low-level privileges can read arbitrary files from the Crocus server filesystem. Public exploit details have been disclosed, and the vendor did not respond to disclosure attempts.
Affected Products
- Shenzhen Ruiming Technology Streamax Crocus 1.3.40
- streamax:streamax_crocus:1.3.40
- Deployments exposing the /DeviceFileReport.do endpoint
Discovery Timeline
- 2025-10-17 - CVE-2025-11914 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-11914
Vulnerability Analysis
The vulnerability exists in the Download handler exposed at /DeviceFileReport.do?Action=Download. The handler accepts a user-supplied FilePath parameter and uses it to locate the file returned to the client. Streamax Crocus does not canonicalize or validate this value, so traversal sequences such as ../ are honored by the underlying file system call.
An attacker who can authenticate with low privileges can request files outside the intended download directory. Targets typically include configuration files, credential stores, application source, and operating system files readable by the web service account. The attack proceeds over the network and does not require user interaction.
A public proof of concept has been published on GitHub, and the entry is tracked as VulDB #328924. The EPSS probability is approximately 0.119%.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The FilePath parameter flows directly into a file-read operation without normalization, allow-list validation, or a chroot-style boundary. Sequences such as ..\ or ../ resolve to parent directories on both Windows and Linux hosts, exposing the file system.
Attack Vector
Exploitation requires network access to the Crocus management interface and valid low-privileged credentials. The attacker issues an HTTP request to /DeviceFileReport.do with Action=Download and a FilePath value containing traversal characters. The server returns the contents of the targeted file in the HTTP response. See the GitHub PoC Repository and the VulDB entry #328924 for the exact request structure.
Detection Methods for CVE-2025-11914
Indicators of Compromise
- HTTP requests to /DeviceFileReport.do containing Action=Download combined with traversal sequences such as ../, ..\, or URL-encoded variants (%2e%2e%2f, %2e%2e%5c) in the FilePath parameter.
- Response sizes or content types inconsistent with expected device report downloads.
- Access patterns from a single low-privileged account enumerating different FilePath values in rapid succession.
Detection Strategies
- Inspect web server and reverse proxy logs for FilePath parameter values that resolve outside the application's report directory.
- Deploy WAF or IDS signatures that flag path traversal patterns targeting the DeviceFileReport.do URI.
- Correlate authentication events with subsequent download requests to identify abuse of low-privileged accounts.
Monitoring Recommendations
- Forward Crocus application and access logs to a centralized SIEM or data lake for retention and pattern analysis.
- Alert on download requests returning sensitive file extensions such as .conf, .ini, .xml, .bak, /etc/passwd, or web.config.
- Monitor outbound traffic volume from the Crocus host for signs of bulk file extraction.
How to Mitigate CVE-2025-11914
Immediate Actions Required
- Restrict network access to the Crocus management interface to trusted administrative networks only.
- Rotate credentials for all Crocus accounts, particularly low-privileged service accounts that could be abused for exploitation.
- Block requests to /DeviceFileReport.do containing traversal sequences at the WAF or reverse proxy layer.
- Audit application logs for evidence of historical exploitation against the FilePath parameter.
Patch Information
No vendor patch is available. The vendor was contacted during the disclosure process but did not respond, according to the public advisory. Operators should track the VulDB entry #328924 for updates and apply compensating controls in the meantime.
Workarounds
- Place the Crocus interface behind a VPN or zero-trust gateway requiring strong authentication.
- Implement WAF rules that reject FilePath values containing .., encoded traversal sequences, or absolute paths.
- Run the Crocus service under a low-privileged OS account with file system permissions limited to its required directories.
- Disable or firewall the /DeviceFileReport.do endpoint if the download function is not required for operations.
# Example NGINX rule to block traversal patterns targeting the vulnerable endpoint
location /DeviceFileReport.do {
if ($args ~* "FilePath=.*(\.\./|\.\.\\|%2e%2e%2f|%2e%2e%5c)") {
return 403;
}
proxy_pass http://crocus_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
