CVE-2025-66251
Published: 26 November 2025
Summary
CVE-2025-66251 is a critical-severity Path Traversal (CWE-22) vulnerability in Dbbroadcast Mozart Next 100 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the deletehidden parameter to block path traversal sequences, preventing arbitrary .tgz file deletion.
Prohibits unauthenticated actions like file deletion via the deletehidden parameter, requiring identification and authentication for sensitive operations.
Enforces approved access authorizations to system resources, preventing unauthorized path traversal and file deletion beyond restricted directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated path traversal enables exploitation of public-facing application (T1190) and arbitrary file deletion (T1070.004).
NVD Description
Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of…
more
arbitrary .tgz files.
Deeper analysisAI
CVE-2025-66251 is an unauthenticated path traversal vulnerability enabling arbitrary file deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices across versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue stems from the deletehidden parameter, which permits path traversal attacks to delete arbitrary .tgz files. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability was published on 2025-11-26.
An unauthenticated attacker with network access to an affected device can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves manipulating the deletehidden parameter to traverse directories and target .tgz files for deletion, potentially disrupting device operations by causing high integrity and availability impacts, such as service denial or configuration loss.
Details on mitigation, including any patches or workarounds, are available in the referenced advisory at https://www.abdulmhsblog.com/posts/webfmvulns/.
Details
- CWE(s)