CVE-2025-66250
Published: 26 November 2025
Summary
CVE-2025-66250 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Dbbroadcast Mozart Next 100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits unauthenticated arbitrary file uploads by limiting permitted actions without identification or authentication on the status_contents.php endpoint.
Enforces validation of information inputs to block unrestricted uploads of dangerous file types via the vulnerable endpoint.
Requires timely identification, reporting, and correction of the file upload flaw in affected Mozart FM Transmitter versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload in public-facing PHP endpoint enables T1190 (Exploit Public-Facing Application) for initial access and facilitates T1100 (Web Shell) for RCE via uploaded malicious files.
NVD Description
Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.
Deeper analysisAI
CVE-2025-66250 is an unauthenticated arbitrary file upload vulnerability in the status_contents.php component of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices, affecting versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The flaw, published on 2025-11-26, enables attackers to upload arbitrary files via the /var/tdf/status_contents.php endpoint and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Any unauthenticated attacker with network access to the affected device can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows arbitrary file uploads, which could lead to remote code execution, data theft, modification of critical files, or denial of service, given the high impacts on confidentiality, integrity, and availability.
Mitigation details are outlined in the advisory at https://www.abdulmhsblog.com/posts/webfmvulns/. Security practitioners should consult this reference for patching instructions or workarounds, as no additional vendor patches are specified in available data.
Details
- CWE(s)