CVE-2026-4910: Streamax Crocus SQL Injection Vulnerability

CVE-2026-4910 Overview

A SQL Injection vulnerability has been identified in Shenzhen Ruiming Technology Streamax Crocus firmware versions up to 1.3.44. The vulnerability exists in an unknown function within the /RemoteFormat.do file of the Endpoint component. By manipulating the State argument, attackers can inject malicious SQL queries, potentially compromising the confidentiality, integrity, and availability of the underlying database. The attack can be launched remotely without authentication, and the exploit has been disclosed publicly. Notably, the vendor was contacted early about this disclosure but did not respond.

Critical Impact

Remote attackers can exploit this SQL injection vulnerability to manipulate database queries, potentially extracting sensitive data, modifying records, or disrupting device operations on affected Streamax Crocus systems.

Affected Products

• Shenzhen Ruiming Technology Streamax Crocus up to version 1.3.44
• Devices exposing the /RemoteFormat.do endpoint

Discovery Timeline

• 2026-03-27 - CVE-2026-4910 published to NVD
• 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-4910

Vulnerability Analysis

This vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as Injection. The flaw exists in the /RemoteFormat.do endpoint of the Streamax Crocus web interface, where the State parameter does not properly sanitize user-supplied input before incorporating it into SQL queries. This allows an attacker to inject arbitrary SQL commands that are executed by the database backend.

The vulnerability is exploitable over the network with low attack complexity and requires no privileges or user interaction. Successful exploitation could allow an attacker to read, modify, or delete data from the database, potentially compromising sensitive operational data stored on the device.

Root Cause

The root cause of this vulnerability is insufficient input validation and sanitization of the State parameter in the /RemoteFormat.do endpoint. User-supplied input is directly concatenated into SQL queries without proper parameterization or escaping, allowing malicious SQL statements to be executed by the database engine. This represents a classic SQL injection flaw where dynamic query construction does not employ prepared statements or proper input filtering.

Attack Vector

The attack vector is network-based, allowing remote exploitation without authentication. An attacker can craft HTTP requests to the /RemoteFormat.do endpoint with malicious payloads in the State parameter. The injected SQL commands are then processed by the backend database server, enabling various attack scenarios including data exfiltration, data manipulation, and potential denial of service.

The vulnerability can be exploited by sending specially crafted requests containing SQL metacharacters and commands in the State parameter. When the endpoint processes the malicious input without proper sanitization, the injected SQL is executed against the database. Technical details about the exploitation are documented in the Feishu Document and VulDB entry #353661.

Detection Methods for CVE-2026-4910

Indicators of Compromise

• HTTP requests to /RemoteFormat.do containing SQL injection patterns in the State parameter
• Database error messages in application logs indicating malformed SQL queries
• Unusual database query patterns or execution times on affected systems
• Unexpected data modifications or exfiltration from the device database

Detection Strategies

• Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the State parameter
• Monitor HTTP access logs for requests to /RemoteFormat.do with suspicious payloads containing SQL keywords or special characters
• Implement database query logging and anomaly detection to identify unexpected query patterns
• Use network intrusion detection systems (IDS) with SQL injection signatures

Monitoring Recommendations

• Enable detailed logging on Streamax Crocus devices if available
• Monitor network traffic for repeated requests to the /RemoteFormat.do endpoint
• Establish baseline behavior for database queries and alert on anomalies
• Review access logs regularly for evidence of exploitation attempts

How to Mitigate CVE-2026-4910

Immediate Actions Required

• Restrict network access to the /RemoteFormat.do endpoint using firewall rules or network segmentation
• Place affected Streamax Crocus devices behind a Web Application Firewall (WAF) with SQL injection protection
• Limit exposure of affected devices by removing them from public-facing networks
• Monitor for exploitation attempts while awaiting vendor response or patch availability

Patch Information

No official patch is currently available from Shenzhen Ruiming Technology. The vendor was contacted about this vulnerability but did not respond. Organizations should monitor vendor channels for future security updates and consider replacement of affected devices if no patch is forthcoming. Additional technical information is available via VulDB submission #777507.

Workarounds

• Implement network-level access controls to restrict access to the vulnerable endpoint to trusted IP addresses only
• Deploy a reverse proxy with input validation to filter malicious SQL injection payloads
• Disable the vulnerable endpoint if functionality is not required for operations
• Consider network segmentation to isolate affected devices from sensitive network segments

# Example: Block access to vulnerable endpoint using iptables
# Restrict /RemoteFormat.do access to trusted management IP only
iptables -A INPUT -p tcp --dport 80 -m string --string "/RemoteFormat.do" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/RemoteFormat.do" --algo bm -j DROP

# Allow only trusted management network
iptables -I INPUT -s 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -s 10.0.0.0/24 -p tcp --dport 443 -j ACCEPT