CVE-2025-10326 is a security vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, versions up to and including 2.8.0. The vulnerability resides in the /htdocs/api/playlist/single.php file, specifically in an unspecified function that processes the 'playlist' argument. This flaw allows an attacker to perform OS command injection by manipulating the 'playlist' parameter. OS command injection vulnerabilities enable an attacker to execute arbitrary operating system commands on the affected device, potentially leading to full system compromise. The attack vector is remote, meaning an attacker does not need physical access to the device to exploit this flaw. According to the CVSS 4.0 vector, the attack requires no user interaction and no privileges, indicating that the vulnerability can be exploited by any remote attacker without authentication. The CVSS score is 5.3, categorized as medium severity, reflecting moderate impact on confidentiality, integrity, and availability. The vendor was notified early but has not responded or issued a patch, and no official fixes are currently available. The exploit code has been publicly released, increasing the risk of exploitation. The RPi-Jukebox-RFID is a software solution commonly used on Raspberry Pi devices to manage music playback with RFID tags, often deployed in hobbyist, educational, or small-scale commercial environments. The vulnerability’s exploitation could allow attackers to execute arbitrary commands, potentially leading to data theft, device manipulation, or pivoting to other networked systems.

For European organizations, the impact depends largely on the deployment context of RPi-Jukebox-RFID devices. While primarily used in hobbyist and small-scale settings, some educational institutions, museums, or small businesses in Europe may use these devices for interactive exhibits or background music systems. Successful exploitation could lead to unauthorized control over these devices, enabling attackers to disrupt services, exfiltrate data, or use compromised devices as footholds for further network intrusion. Although the vulnerability does not directly target critical infrastructure, the ease of remote exploitation without authentication raises concerns for any connected network environment. Additionally, the lack of vendor response and patch availability increases the window of exposure. European organizations with less mature cybersecurity practices or those using default configurations may be particularly vulnerable. The medium severity rating suggests moderate risk, but the public availability of exploit code could lead to increased attack attempts, especially in environments where these devices are internet-facing or poorly segmented.

Given the absence of an official patch, European organizations should implement specific mitigations to reduce risk. First, isolate RPi-Jukebox-RFID devices on segmented networks with strict firewall rules to limit remote access to the device’s API endpoints, especially /htdocs/api/playlist/single.php. Employ network-level access controls such as VPNs or IP whitelisting to restrict who can reach these devices. Disable or restrict the vulnerable API functionality if possible, or replace the device with alternative solutions until a patch is available. Monitor network traffic for unusual requests targeting the playlist parameter or unexpected command execution behaviors. Implement host-based intrusion detection systems (HIDS) on Raspberry Pi devices to detect anomalous system calls or command executions. Regularly audit device configurations and logs for signs of compromise. Finally, maintain awareness of vendor communications for any future patches and apply them promptly. Organizations should also consider educating users and administrators about the risks of exposing such devices to the internet without adequate protections.