CVE-2025-10327 is an OS command injection vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically in the /htdocs/api/playlist/shuffle.php endpoint. The vulnerability arises from insufficient input validation or sanitization of the 'playlist' parameter, allowing an attacker to inject arbitrary operating system commands. This flaw can be exploited remotely without authentication or user interaction, making it accessible to any attacker with network access to the device. The affected versions range from 2.0 through 2.8.0. The vulnerability's CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no authentication required, no user interaction, and partial impacts on confidentiality, integrity, and availability. The vendor was contacted but has not issued a patch or mitigation guidance, and no public exploits have been observed yet. The RPi-Jukebox-RFID software is commonly used on Raspberry Pi devices for media playback controlled via RFID tags, often in home automation or educational environments. Successful exploitation could allow attackers to execute arbitrary commands, potentially leading to system compromise, data exposure, or service disruption. Given the public availability of exploit details, the risk of exploitation may increase over time.

For European organizations, the impact of this vulnerability depends on the deployment scale of RPi-Jukebox-RFID devices. While primarily used in hobbyist, educational, or small-scale commercial settings, compromised devices could serve as entry points into broader networks, especially if connected to internal systems. Attackers could execute arbitrary commands, leading to unauthorized data access, device control, or pivoting to other network assets. In environments where these devices manage or integrate with critical media or automation systems, availability and integrity could be affected, disrupting operations. The lack of vendor response and patch increases the risk exposure. Organizations in sectors with extensive use of Raspberry Pi devices, such as education, research, and small businesses, may face higher risks. Additionally, if devices are accessible from the internet or poorly segmented networks, the threat escalates. However, the medium CVSS score reflects that exploitation requires some privileges (PR:L), limiting immediate widespread impact.

1. Restrict network access to RPi-Jukebox-RFID devices by implementing firewall rules or network segmentation to limit exposure of the /htdocs/api/playlist/shuffle.php endpoint to trusted hosts only. 2. Monitor network traffic and device logs for unusual or suspicious requests targeting the playlist API, indicating potential exploitation attempts. 3. Disable or remove the vulnerable shuffle.php API if not required for operational purposes to reduce the attack surface. 4. Employ host-based intrusion detection systems on Raspberry Pi devices to detect anomalous command execution or process behavior. 5. Maintain strict access controls on devices, ensuring only authorized personnel can modify or interact with the software. 6. Regularly back up device configurations and data to enable recovery in case of compromise. 7. Engage with the vendor or community to track any forthcoming patches or updates and apply them promptly once available. 8. Consider deploying application-layer firewalls or reverse proxies that can sanitize or block malicious input targeting the vulnerable parameter. 9. Educate users and administrators about the risks of exposing IoT or embedded devices to untrusted networks.