CVE-2025-10328

MediumPublic PoC

Published: 12 September 2025

Published

12 September 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0067 71.6th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10328 is a medium-severity Command Injection (CWE-77) vulnerability in Sourcefabric Rpi-Jukebox-Rfid. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

Why these techniques?

OS command injection vulnerability in public-facing web endpoint (/htdocs/api/playlist/playsinglefile.php) enables exploitation of public-facing application (T1190), indirect command execution via the vulnerable script (T1202), and remote execution of Unix shell commands (T1059.004) on Linux-based Raspberry Pi system.

NVD Description

A security vulnerability has been detected in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this issue is some unknown functionality of the file /htdocs/api/playlist/playsinglefile.php. The manipulation of the argument File leads to os command injection. The attack may be initiated…

remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-10328 is an OS command injection vulnerability affecting MiczFlor RPi-Jukebox-RFID versions up to 2.8.0. The issue resides in the /htdocs/api/playlist/playsinglefile.php file, where manipulation of the "File" argument enables arbitrary command execution. This flaw, classified under CWE-77 and CWE-78, carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating moderate severity with network accessibility and low attack complexity.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely by crafting a malicious "File" parameter in requests to the affected endpoint, leading to OS command injection. Successful exploitation allows limited impacts: low-level disclosure of confidential information, modification of data or system state, and denial of service through availability disruption. The exploit has been publicly disclosed, increasing the risk of active use.

Advisories from VulDB and related disclosures, including a GitHub proof-of-concept at https://github.com/YZS17/CVE/blob/main/RPi-Jukebox-RFID/rce5.md, detail the vulnerability but report no vendor response despite early notification. No patches or official mitigations are available, leaving affected systems reliant on network controls, input validation, or disabling the endpoint.

The public availability of the exploit PoC heightens the urgency for users of RPi-Jukebox-RFID to monitor and restrict access to the API endpoint until further vendor action.

Details

CWE(s): CWE-77 CWE-78

Affected Products

sourcefabric

rpi-jukebox-rfid

≤ 2.8.0

CVEs Like This One

CVE-2025-10327Same product: Sourcefabric Rpi-Jukebox-Rfid

CVE-2025-10326Same product: Sourcefabric Rpi-Jukebox-Rfid

CVE-2025-8828Shared CWE-77, CWE-78

CVE-2025-9575Shared CWE-77, CWE-78

CVE-2025-8259Shared CWE-77, CWE-78

CVE-2025-9026Shared CWE-77, CWE-78

CVE-2025-11138Shared CWE-77, CWE-78

CVE-2025-7414Shared CWE-77, CWE-78

CVE-2025-14586Shared CWE-77, CWE-78

CVE-2025-8829Shared CWE-77, CWE-78

References

https://github.com/YZS17/CVE/blob/main/RPi-Jukebox-RFID/rce5.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.323754
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.323754
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.643512
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/YZS17/CVE/blob/main/RPi-Jukebox-RFID/rce5.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0