CVE-2025-10328 is a security vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, versions up to and including 2.8.0. This software is designed to run on Raspberry Pi devices and provides a jukebox functionality controlled via RFID tags. The vulnerability exists within the /htdocs/api/playlist/playsinglefile.php file, specifically in the handling of the 'File' argument. Improper sanitization or validation of this argument allows an attacker to perform OS command injection. This means that an attacker can craft a malicious input for the 'File' parameter that gets executed as a system command on the underlying operating system. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing the risk of unauthorized access or control. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vendor was notified but has not responded or issued a patch, and no known exploits are currently observed in the wild. This vulnerability could allow attackers to execute arbitrary commands on affected Raspberry Pi devices running the vulnerable software, potentially leading to system compromise, data leakage, or disruption of service.

For European organizations using MiczFlor RPi-Jukebox-RFID, particularly in environments where Raspberry Pi devices are deployed for media playback or IoT applications, this vulnerability presents a tangible risk. Exploitation could lead to unauthorized command execution, enabling attackers to manipulate or disrupt services, access sensitive data, or pivot within internal networks. Given the low complexity and remote exploitability without authentication, attackers could leverage this vulnerability to establish persistent footholds or launch further attacks. While the software is niche, organizations in sectors such as education, retail, hospitality, or cultural institutions that use Raspberry Pi-based jukebox systems could be affected. The lack of vendor response and patch availability increases exposure time. Additionally, compromised devices could be used as entry points into broader network infrastructure, impacting confidentiality, integrity, and availability of organizational resources.

1. Immediate mitigation should include isolating Raspberry Pi devices running RPi-Jukebox-RFID from critical network segments to limit potential lateral movement. 2. Implement network-level access controls and firewall rules to restrict inbound traffic to the affected devices, allowing only trusted sources. 3. Monitor network traffic and system logs on these devices for unusual command execution patterns or unexpected connections. 4. Where possible, disable or restrict API access to the vulnerable playsinglefile.php endpoint until a patch is available. 5. Consider deploying application-layer firewalls or intrusion detection/prevention systems (IDS/IPS) with custom rules to detect and block command injection attempts targeting the 'File' parameter. 6. If feasible, review and sanitize inputs at the application level by modifying the source code to validate and escape user inputs properly, or apply community-sourced patches if available. 7. Maintain an inventory of all Raspberry Pi devices running this software to ensure comprehensive coverage. 8. Stay alert for vendor updates or community patches and apply them promptly once released.