📄 Description (English)
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unknown function of the file /OperateStatistic.do. The manipulation of the argument VehicleID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-4955 is a critical SQL injection vulnerability in Streamax Crocus 1.3.44 affecting the /OperateStatistic.do endpoint through the VehicleID parameter. With a CVSS score of 7.3 and public exploit availability, this poses significant risk to organizations using this fleet management system. The lack of vendor response and available patches necessitates immediate mitigation actions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 6, 2026 17:54
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi transportation and logistics companies, government fleet management operations, and ride-sharing services utilizing Streamax Crocus systems. High-risk sectors include: (1) Saudi Aramco and energy sector fleet operations, (2) Government transportation departments and municipal services, (3) Private logistics and delivery companies (e-commerce support), (4) Taxi and ride-sharing platforms. The SQL injection could enable unauthorized access to vehicle tracking data, driver information, operational statistics, and potentially customer data, creating significant privacy and operational security risks.
🏢 Affected Saudi Sectors
Transportation & Logistics
Government & Public Services
Energy (Aramco operations)
Ride-sharing & Taxi Services
E-commerce & Delivery
Municipal Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running Streamax Crocus 1.3.44 and isolate from internet-facing access
2. Implement network segmentation to restrict access to /OperateStatistic.do endpoint
3. Enable comprehensive logging and monitoring of all requests to affected endpoints
COMPENSATING CONTROLS:
1. Deploy Web Application Firewall (WAF) rules to block SQL injection patterns in VehicleID parameter (block: single quotes, double dashes, semicolons, UNION, SELECT, DROP, INSERT, UPDATE, DELETE)
2. Implement input validation at application layer - whitelist only alphanumeric characters and hyphens for VehicleID
3. Apply database-level restrictions: create read-only database user for application, revoke unnecessary privileges
4. Enable SQL query logging and anomaly detection for suspicious database activity
DETECTION RULES:
1. Monitor HTTP requests to /OperateStatistic.do with VehicleID containing SQL metacharacters
2. Alert on database error messages returned in HTTP responses
3. Track unusual database query patterns or failed authentication attempts
4. Monitor for data exfiltration attempts via UNION-based injection
PATCHING STRATEGY:
1. Contact Streamax vendor for security updates or migration timeline
2. Evaluate alternative fleet management solutions with active security support
3. Plan upgrade to patched version immediately upon availability
4. Document all compensating controls as temporary measures
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بـ Streamax Crocus 1.3.44 وعزلها عن الوصول المتصل بالإنترنت
2. تنفيذ تقسيم الشبكة لتقييد الوصول إلى نقطة النهاية /OperateStatistic.do
3. تفعيل السجلات الشاملة ومراقبة جميع الطلبات إلى نقاط النهاية المتأثرة
الضوابط التعويضية:
1. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل VehicleID
2. تنفيذ التحقق من صحة الإدخال على مستوى التطبيق - قائمة بيضاء للأحرف الأبجدية الرقمية والواصلات فقط
3. تطبيق القيود على مستوى قاعدة البيانات: إنشاء مستخدم قاعدة بيانات للقراءة فقط
4. تفعيل تسجيل استعلامات SQL والكشف عن الحالات الشاذة
قواعد الكشف:
1. مراقبة طلبات HTTP إلى /OperateStatistic.do التي تحتوي على أحرف SQL
2. التنبيه على رسائل خطأ قاعدة البيانات المرجعة في الاستجابات
3. تتبع أنماط استعلامات قاعدة البيانات غير العادية
4. مراقبة محاولات تسرب البيانات
استراتيجية التصحيح:
1. التواصل مع بائع Streamax للحصول على تحديثات أمنية
2. تقييم حلول إدارة الأسطول البديلة
3. التخطيط للترقية إلى نسخة مصححة فور توفرها
4. توثيق جميع الضوابط التعويضية كتدابير مؤقتة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements analysis and specification
ECC 2024 A.14.2.5 - Secure development environment
ECC 2024 A.14.3.1 - Separation of development, test and production environments
ECC 2024 A.13.1.3 - Segregation of networks
ECC 2024 A.13.2.1 - Network access control
🔵 SAMA CSF
SAMA CSF ID.BE-3.2 - Organizational roles and responsibilities
SAMA CSF PR.AC-1.1 - Access control policy
SAMA CSF PR.AC-1.2 - Physical and logical access enforcement
SAMA CSF PR.DS-2.1 - Data security and protection
SAMA CSF DE.AE-1.1 - Anomalies and events detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.3 - Access control
ISO 27001:2022 A.14.2 - Secure development
ISO 27001:2022 A.14.3 - Test data
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 11.3 - Penetration testing
🔗 References & Sources 5