CVE-2025-10327 is a security vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically affecting versions up to 2.8.0. The vulnerability exists in the /htdocs/api/playlist/shuffle.php file, where improper handling of the 'playlist' argument allows for OS command injection. This means that an attacker can manipulate the input to execute arbitrary operating system commands on the underlying device remotely, without requiring user interaction or authentication. The vulnerability is remotely exploitable over the network, increasing the risk of unauthorized control. The vendor was notified but has not responded or issued a patch, and a public exploit is available, which raises the risk of exploitation. The CVSS v4.0 score is 5.3 (medium severity), reflecting that the attack vector is network-based with low attack complexity and no user interaction, but requiring low privileges. The impact on confidentiality, integrity, and availability is limited but present, as the attacker can execute commands that may lead to data exposure, modification, or service disruption. The affected product, RPi-Jukebox-RFID, is a Raspberry Pi-based jukebox system that integrates RFID for playlist control, often used in hobbyist, educational, or small business environments. The vulnerability’s exploitation could allow attackers to take control of the device, potentially pivoting into connected networks or disrupting audio services.

For European organizations, the impact depends on the deployment scale of RPi-Jukebox-RFID devices. While primarily used in niche or small-scale environments, organizations using these devices in public spaces, educational institutions, or small retail settings could face unauthorized access, data leakage, or service disruption. Compromise of these devices could serve as a foothold for lateral movement within internal networks, especially if the devices are connected to critical infrastructure or sensitive environments. The lack of vendor response and public exploit availability increases the risk of opportunistic attacks. Additionally, organizations may face compliance risks under GDPR if personal data is processed or exposed through compromised devices. The medium severity rating suggests that while the threat is not critical, it should not be ignored, especially in environments where device integrity and availability are important.

Given the absence of an official patch, organizations should implement compensating controls. First, isolate RPi-Jukebox-RFID devices on segmented networks with strict firewall rules to limit remote access to the affected API endpoint. Disable or restrict access to the shuffle.php API if not required. Monitor network traffic for unusual commands or connections originating from these devices. Employ host-based intrusion detection to detect suspicious command execution. Where possible, upgrade to newer versions if the vendor releases patches or consider alternative software solutions without this vulnerability. Additionally, implement strict access controls and change default credentials to reduce privilege levels. Regularly audit devices for unauthorized changes and maintain up-to-date backups to recover from potential compromise. Finally, educate users and administrators about the risk and signs of exploitation.