CVE-2025-10394 is a code injection vulnerability identified in version 2.0 of the fcba_zzm ics-park Smart Park Management System, specifically within an unspecified function of the Scheduled Task Module located in the file ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/JobController.java. The vulnerability allows an attacker to inject arbitrary code remotely without requiring user interaction or elevated privileges beyond those of an authenticated user. The attack vector is network-based (AV:N), with low attack complexity (AC:L), and no user interaction (UI:N) is needed. However, the attacker must have high privileges (PR:H) on the system to exploit this vulnerability. The impact on confidentiality, integrity, and availability is low (VC:L, VI:L, VA:L), indicating that while exploitation can lead to unauthorized code execution, the overall damage potential is limited. The vulnerability does not affect system components related to security controls or scope changes. The vulnerability has been publicly disclosed but no known exploits are currently observed in the wild. The CVSS v4.0 base score is 5.1, categorizing it as a medium severity issue. The vulnerability arises from improper input validation or sanitization in the Scheduled Task Module, allowing malicious input to be executed as code, which could lead to unauthorized command execution or system manipulation within the context of the application. Since the affected component manages scheduled tasks, exploitation could allow attackers to alter or inject malicious scheduled jobs, potentially leading to persistent unauthorized access or disruption of park management operations.

For European organizations using the fcba_zzm ics-park Smart Park Management System version 2.0, this vulnerability poses a moderate risk. The ability to inject code remotely could allow attackers with high privileges to manipulate scheduled tasks, potentially disrupting parking management services, causing operational downtime, or enabling further lateral movement within the network. Although the impact on confidentiality, integrity, and availability is rated low, the disruption of critical infrastructure services such as smart parking can have cascading effects on urban mobility and public safety. Additionally, unauthorized code execution could be leveraged to exfiltrate sensitive operational data or interfere with billing and access control systems. Given the increasing adoption of smart city technologies across Europe, any compromise of such systems could undermine public trust and lead to regulatory scrutiny under frameworks like GDPR if personal data is affected. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially if attackers develop new exploit techniques.

1. Immediate patching: Organizations should monitor for official patches or updates from fcba_zzm and apply them promptly once available. 2. Access control hardening: Restrict access to the Scheduled Task Module and JobController endpoints to only trusted administrators, employing network segmentation and strong authentication mechanisms. 3. Privilege management: Review and minimize the number of users with high privileges required to exploit this vulnerability, implementing the principle of least privilege. 4. Input validation: Implement additional input sanitization and validation at the application and network layers to detect and block malicious payloads targeting scheduled tasks. 5. Monitoring and logging: Enable detailed logging of scheduled task creation and modification activities, and deploy anomaly detection to identify suspicious behavior indicative of exploitation attempts. 6. Incident response readiness: Prepare response plans specific to smart infrastructure compromise, including isolating affected systems and forensic analysis. 7. Network security: Employ web application firewalls (WAFs) with custom rules to detect and block code injection patterns targeting the vulnerable module. 8. Vendor engagement: Engage with fcba_zzm for timely vulnerability disclosures and coordinate on security improvements.