CVE-2025-10394 – This CVE describes a code injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-10394?

CVE-2025-10394 has a CVSS score of 4.7 (MEDIUM). This CVE describes a code injection vulnerability in the fcba_zzm ics-park Smart Park Management System 2.0, specifically in the Scheduled Task Module's JobController component. Attackers can remotely exploit this to execute arbitrary code on affected systems. Organizations using this smart park management software are at risk.

📋 TL;DR

This CVE describes a code injection vulnerability in the fcba_zzm ics-park Smart Park Management System 2.0, specifically in the Scheduled Task Module's JobController component. Attackers can remotely exploit this to execute arbitrary code on affected systems. Organizations using this smart park management software are at risk.

💻 Affected Systems

Products:

fcba_zzm ics-park Smart Park Management System

Versions: 2.0

Operating Systems: Any OS running the Java-based application

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the ruoyi-quartz component's JobController.java file in the scheduled task module.

📦 What is this software?

Smart Park Management System by Fcba Zzm

View all CVEs affecting Smart Park Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized access to the management system, manipulation of scheduled tasks, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit details have been publicly disclosed on GitHub, increasing the risk of active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: NONE

Restart Required: No

Instructions:

No official patch available. Monitor vendor channels for updates and apply workarounds immediately.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the Smart Park Management System from internet access and restrict internal network access.

Configure firewall rules to block external access to the management system

Input Validation

java

Implement strict input validation and sanitization for all scheduled task parameters.

Review and modify JobController.java to validate all user inputs

🧯 If You Can't Patch

Implement strict network access controls and monitor for suspicious activity
Disable or restrict the scheduled task module if not essential for operations

🔍 How to Verify

Check if Vulnerable:

Check if running fcba_zzm ics-park Smart Park Management System version 2.0 and review the JobController.java file for input validation issues.

Check Version:

Check application configuration files or contact vendor for version information

Verify Fix Applied:

Verify that input validation has been implemented in JobController.java and test with malicious payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual scheduled task executions
Unexpected Java process creations
Error logs containing injection attempts

Network Indicators:

Unusual outbound connections from the management system
Traffic to unexpected ports

SIEM Query:

source="smart-park-system" AND (event="task_execution" OR event="code_injection")

📊 Metadata

CVE ID: CVE-2025-10394

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (7.6th percentile)

Published: September 14, 2025

Last Updated: October 14, 2025

🔗 References

https://github.com/Yyjccc/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.323829 Permissions Required,VDB Entry
https://vuldb.com/?id.323829 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.645729 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10394, you might also want to check these: