CVE-2025-10394 is a medium-severity code injection vulnerability identified in version 2.0 of the fcba_zzm ics-park Smart Park Management System. The vulnerability resides in an unspecified function within the Scheduled Task Module, specifically in the file ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/JobController.java. This module is responsible for managing scheduled tasks, which likely involves executing code or commands at predefined intervals. The flaw allows an attacker to perform remote code injection without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:H). However, the attacker must have high privileges (PR:H), suggesting that some level of authenticated access or elevated permissions is necessary to exploit the vulnerability. The impact on confidentiality, integrity, and availability is low to limited, but the vulnerability still permits execution of arbitrary code, which could lead to unauthorized actions or system compromise. The vulnerability has been publicly disclosed, but no known exploits have been observed in the wild to date. The CVSS 4.0 base score is 5.1, reflecting a medium severity level. The lack of available patches or mitigation links indicates that users of the affected system should prioritize risk assessment and implement compensating controls until an official fix is released.

For European organizations using the ics-park Smart Park Management System version 2.0, this vulnerability poses a moderate risk. The system is likely deployed in smart parking infrastructure, which is critical for urban mobility and traffic management. Exploitation could allow an attacker with elevated privileges to inject malicious code, potentially disrupting parking services, manipulating scheduling tasks, or gaining further access to internal networks. This could lead to service outages, data manipulation, or unauthorized access to sensitive operational data. While the requirement for high privileges reduces the likelihood of exploitation by external attackers, insider threats or compromised credentials could facilitate attacks. Disruption of smart parking systems could impact city traffic flow and user experience, and in some cases, may have cascading effects on other integrated smart city services. The medium severity suggests that while immediate catastrophic impacts are unlikely, the vulnerability should be addressed promptly to maintain operational integrity and trust.

1. Restrict access to the Scheduled Task Module and JobController endpoints to only trusted and necessary personnel, enforcing strict role-based access controls to minimize the risk of privilege abuse. 2. Monitor and audit all activities related to scheduled tasks for unusual or unauthorized modifications, enabling early detection of potential exploitation attempts. 3. Employ network segmentation to isolate the smart parking management system from broader enterprise networks, limiting lateral movement opportunities for attackers. 4. Implement multi-factor authentication (MFA) for all users with high privileges to reduce the risk of credential compromise. 5. Regularly review and update system configurations to ensure minimal privileges are granted and unnecessary services are disabled. 6. Since no patch is currently available, consider deploying web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) with custom rules to detect and block suspicious code injection patterns targeting the affected module. 7. Engage with the vendor or community to obtain updates on patches or security advisories and plan for timely application of fixes once released.