CVE-2025-10398 is a medium-severity vulnerability identified in version 2.0 of the fcba_zzm ics-park Smart Park Management System. The flaw resides in the FileUploadUtils.java component, where improper validation of the 'File' argument allows an attacker to perform unrestricted file uploads. This vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The unrestricted upload capability could enable an attacker to upload malicious files, such as web shells or malware, potentially leading to unauthorized code execution, data compromise, or disruption of the affected system. Although the CVSS score is 5.3 (medium), the exploitability is relatively straightforward given the low attack complexity and lack of required privileges beyond low-level access. The vulnerability does not require user interaction and affects confidentiality, integrity, and availability to a limited extent, as indicated by the low impact metrics in the CVSS vector. No official patches or mitigations have been published yet, and while no known exploits are currently observed in the wild, the public release of exploit code increases the risk of exploitation.

For European organizations using the fcba_zzm ics-park Smart Park Management System version 2.0, this vulnerability poses a tangible risk. Smart Park Management Systems often integrate with physical infrastructure and operational technology, meaning exploitation could lead to unauthorized access to parking management controls, disruption of parking services, or compromise of sensitive operational data. This could affect service availability and potentially impact safety if integrated with other smart city systems. Confidentiality risks include exposure of user data or system configuration files. Integrity risks involve unauthorized modification of system files or configurations. Availability could be impacted if attackers deploy ransomware or cause system crashes via malicious uploads. Given the remote exploitability and lack of required user interaction, attackers could automate attacks at scale, targeting multiple installations. The public availability of exploit code further elevates the threat level, especially for organizations that have not applied mitigations or upgraded to patched versions. The impact is particularly significant for municipalities and private operators relying on this system for critical parking infrastructure management.

1. Immediate mitigation should include restricting file upload functionality by implementing strict server-side validation of file types, sizes, and content to prevent malicious files from being accepted. 2. Employ allowlisting of permitted file extensions and use content inspection techniques such as MIME type verification and file signature checks. 3. Implement authentication and authorization checks to ensure only trusted users can upload files, and enforce the principle of least privilege. 4. Deploy web application firewalls (WAFs) with rules designed to detect and block suspicious file upload attempts targeting this vulnerability. 5. Monitor system logs for unusual file upload activity and conduct regular audits of uploaded files. 6. Isolate the file upload functionality in a sandboxed environment or separate server to limit potential damage. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability and plan for timely patch deployment once available. 8. If patching is delayed, consider temporary disabling of file upload features if operationally feasible. 9. Educate operational staff about the risks and signs of exploitation to enhance detection and response capabilities.