CVE-2025-10327: Rpi-Jukebox-RFID RCE Vulnerability

CVE-2025-10327 Overview

CVE-2025-10327 is an OS Command Injection vulnerability identified in MiczFlor RPi-Jukebox-RFID versions up to and including 2.8.0. The vulnerability exists in the file /htdocs/api/playlist/shuffle.php, where the playlist argument is not properly sanitized before being passed to system commands. This allows authenticated remote attackers to execute arbitrary operating system commands on the underlying Raspberry Pi device.

Critical Impact

Remote attackers with low privileges can exploit this vulnerability to execute arbitrary OS commands on the RPi-Jukebox-RFID device, potentially leading to full system compromise, data theft, or use of the device in botnet operations.

Affected Products

• MiczFlor RPi-Jukebox-RFID versions up to 2.8.0
• Sourcefabric RPi-Jukebox-RFID (all versions through 2.8.0)

Discovery Timeline

• September 12, 2025 - CVE-2025-10327 published to NVD
• January 20, 2026 - Last updated in NVD database

Technical Details for CVE-2025-10327

Vulnerability Analysis

This vulnerability is classified as both CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The flaw exists in the playlist shuffle functionality exposed through the web API endpoint at /htdocs/api/playlist/shuffle.php.

The vulnerable code fails to sanitize the playlist parameter before incorporating it into shell commands. An authenticated attacker can craft malicious input containing shell metacharacters (such as semicolons, backticks, or pipe characters) that break out of the intended command context and execute arbitrary commands with the privileges of the web server process.

RPi-Jukebox-RFID is a popular open-source project that transforms Raspberry Pi devices into music players controlled via RFID cards. Due to its deployment on home networks and IoT environments, successful exploitation could provide attackers with a foothold for lateral movement or use compromised devices in distributed attacks.

Root Cause

The root cause is improper input validation in the shuffle.php API endpoint. The playlist argument is passed directly to system-level commands without adequate sanitization or escaping. This allows shell metacharacters to be interpreted by the underlying operating system shell, enabling command injection.

Attack Vector

The attack can be launched remotely over the network by any authenticated user. The attacker submits a crafted HTTP request to the /htdocs/api/playlist/shuffle.php endpoint with a maliciously constructed playlist parameter containing OS command injection payloads. Common injection techniques include using command separators (;, &&, ||), command substitution (`command` or $(command)), or pipe operators to chain arbitrary commands.

The vulnerability has been publicly disclosed, and exploit code is available through Exploit-DB, significantly increasing the risk of exploitation in the wild. According to the CVE description, the vendor was contacted about this disclosure but did not respond.

Detection Methods for CVE-2025-10327

Indicators of Compromise

• Unexpected HTTP requests to /htdocs/api/playlist/shuffle.php containing shell metacharacters (;, |, &, `, $())
• Anomalous process spawning from the web server process (e.g., www-data spawning shells or network utilities)
• Unusual outbound network connections from the Raspberry Pi device
• Suspicious entries in web server access logs with encoded or obfuscated payloads in the playlist parameter

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block requests containing command injection patterns in API parameters
• Monitor for unusual child processes spawned by the web server, particularly command shells (/bin/sh, /bin/bash) or common exploitation tools
• Enable and review application logs for requests to the affected endpoint with suspicious parameter values
• Deploy network intrusion detection signatures for known RPi-Jukebox-RFID exploitation patterns

Monitoring Recommendations

• Enable verbose logging on the RPi-Jukebox-RFID web interface to capture all API requests and parameters
• Configure host-based intrusion detection to alert on unexpected command execution patterns
• Monitor network traffic from RPi devices for signs of command and control communication or data exfiltration
• Establish baseline behavior for the device and alert on deviations such as new listening ports or outbound connections

How to Mitigate CVE-2025-10327

Immediate Actions Required

• Restrict network access to the RPi-Jukebox-RFID web interface to trusted networks only using firewall rules
• If the device is internet-facing, immediately place it behind a VPN or remove public access
• Review web server logs for any evidence of exploitation attempts
• Consider disabling the web interface entirely if not required for operation

Patch Information

As of the last modification date, no official patch has been released by the vendor. The CVE description notes that the vendor was contacted about this disclosure but did not respond. Users should monitor the GitHub RCE PoC Documentation and VulDB entry for updates. Upgrade to a patched version immediately when one becomes available.

Workarounds

• Implement input validation at the web server level by adding a reverse proxy with WAF capabilities (e.g., ModSecurity) to filter malicious requests
• Modify the vulnerable shuffle.php file to escape or sanitize the playlist parameter before passing it to shell commands (requires PHP expertise)
• Limit access to the web interface using HTTP basic authentication or IP-based restrictions
• Run the web server process with minimal system privileges to reduce the impact of successful exploitation

# Example: Restrict access to the web interface using iptables
# Only allow connections from trusted local network (192.168.1.0/24)
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP