CVE-2025-10398 is a medium-severity vulnerability identified in the fcba_zzm ics-park Smart Park Management System version 2.0. The flaw resides in the file FileUploadUtils.java, where improper validation or sanitization of the File argument allows an attacker to perform unrestricted file uploads remotely. This means an attacker can upload arbitrary files, potentially including malicious scripts or executables, without authentication or user interaction. The vulnerability is remotely exploitable over the network with low attack complexity and does not require privileges or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability, reflecting the medium severity score of 5.3. Although no public exploit is currently known to be actively used in the wild, the exploit code has been publicly released, increasing the likelihood of exploitation. The unrestricted upload can lead to remote code execution, data compromise, or service disruption if the uploaded files are executed or processed by the system. The vulnerability affects only version 2.0 of the product, and no official patches or mitigations have been published yet.

For European organizations deploying the fcba_zzm ics-park Smart Park Management System 2.0, this vulnerability poses a significant risk to operational continuity and data security. Smart park management systems often control access, monitor parking spaces, and handle payment or user data, so exploitation could lead to unauthorized access to physical infrastructure or sensitive information. Attackers could upload web shells or malware, enabling persistent access or lateral movement within the network. This could disrupt parking services, cause financial losses, or damage organizational reputation. Given the remote exploitability and lack of required authentication, attackers can target these systems en masse, potentially impacting multiple European cities or facilities using this software. The partial impact on confidentiality, integrity, and availability means that while the system may not be fully compromised, attackers could still cause meaningful damage or data leakage. The absence of patches increases the urgency for European entities to implement compensating controls to prevent exploitation.

1. Immediate deployment of network-level protections such as web application firewalls (WAFs) configured to detect and block suspicious file upload attempts targeting the vulnerable endpoint. 2. Restrict access to the smart park management system's upload functionality by IP whitelisting or VPN-only access to reduce exposure to the internet. 3. Implement strict file type and content validation at the network perimeter or proxy level to prevent execution of malicious files. 4. Monitor logs and network traffic for unusual upload activity or anomalies indicating exploitation attempts. 5. If possible, disable or restrict the file upload feature temporarily until a vendor patch is released. 6. Conduct thorough security assessments and penetration testing focused on file upload mechanisms to identify and remediate similar weaknesses. 7. Engage with the vendor for timely patch releases and apply updates as soon as they become available. 8. Educate operational staff about the risks and signs of exploitation to enable rapid incident response.