CVE-2025-10252 is a deserialization vulnerability identified in the SEAT Queue Ticket Kiosk product, specifically affecting versions up to 20250827. The flaw resides within the Java RMI (Remote Method Invocation) Registry Handler component, which is responsible for handling remote method calls and object serialization/deserialization. Deserialization vulnerabilities occur when untrusted data is deserialized without proper validation, potentially allowing attackers to execute arbitrary code or manipulate application logic. However, in this case, the attack vector is limited to the local network, meaning an attacker must have network access to the same LAN as the vulnerable kiosk system. The complexity of exploitation is high, indicating that successful exploitation requires advanced skills or specific conditions, and the exploitability is considered difficult. There is no indication that user interaction or authentication is required, but the attack surface is constrained by network access. The vendor has not responded to disclosure attempts, and no patches or mitigations have been published yet. The CVSS 4.0 base score is 2.3, reflecting a low severity primarily due to the limited attack vector (local network), high complexity, and minimal impact on confidentiality, integrity, and availability. No known exploits are currently in the wild. This vulnerability could allow an attacker within the local network to manipulate the kiosk system, potentially causing denial of service or limited unauthorized actions, but widespread or remote exploitation is unlikely given the constraints.

For European organizations deploying SEAT Queue Ticket Kiosk systems, particularly in environments such as public transport stations, event venues, or customer service centers, this vulnerability poses a localized risk. An attacker with local network access could exploit the deserialization flaw to disrupt kiosk operations, potentially causing service interruptions or unauthorized manipulation of ticketing processes. While the impact on confidentiality and integrity is low, availability could be affected if the kiosk system is destabilized. The limited attack vector reduces the risk of large-scale attacks, but insider threats or attackers gaining local network access (e.g., via compromised devices or Wi-Fi access) could leverage this vulnerability. Organizations in Europe with high-density public venues or critical infrastructure using these kiosks should be aware of the potential for localized disruption. The lack of vendor response and patches increases the risk of prolonged exposure.

Given the absence of official patches, European organizations should implement network segmentation to isolate SEAT Queue Ticket Kiosk systems from general user networks, restricting access to trusted devices only. Employ strict access controls and monitoring on local networks to detect unauthorized devices or suspicious activity. Disable or restrict Java RMI services if not essential, or apply runtime protections such as Java security manager policies to limit deserialization operations. Conduct regular network scans and vulnerability assessments to identify exposed kiosk systems. Additionally, consider deploying host-based intrusion detection systems (HIDS) on kiosk devices to monitor for anomalous behavior indicative of exploitation attempts. Organizations should also engage with SEAT for updates and monitor security advisories for patches or mitigations. Finally, implement strong physical security controls to prevent unauthorized local network access.