cbcvebase.
CVE-2025-10327
published 2025-09-12

CVE-2025-10327: A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.16%
95.1th percentile
A weakness has been identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. Affected by this vulnerability is an unknown functionality of the file /htdocs/api/playlist/shuffle.php. Executing manipulation of the argument playlist can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

10 ranges
VendorProductVersion rangeFixed in
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
miczflorrpi-jukebox-rfid
sourcefabricrpi-jukebox-rfid<= 2.8.0

Detection & IOCsextracted from sources · hover to see the quote

path/htdocs/api/playlist/shuffle.php
urlhttp://YOUR-TARGET-IP/phoniebox/api/playlist/shuffle.php
commandtest';touch rced_by_xu17.txt;echo '
  • Alert on PUT requests to the shuffle.php endpoint with a Content-Type of application/json where the 'playlist' value contains characters such as ', ;, or shell command sequences.
  • Detect creation of unexpected files (e.g., rced_by_xu17.txt) in the web root or working directory of the Jukebox application as a post-exploitation indicator.
  • The exploit uses HTTP PUT method against the API endpoint; alert on PUT requests to shuffle.php from external/untrusted sources.
  • ·The exploit targets RPi-Jukebox-RFID version 2.8.0 and below; the vulnerable endpoint path includes /phoniebox/ as a web root prefix, which may vary by installation configuration.
  • ·The vendor was unresponsive to disclosure; no patch is confirmed available as of the CVE publication date, meaning all deployments of RPi-Jukebox-RFID up to v2.8.0 remain exposed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.