CVE-2025-66254
Published: 26 November 2025
Summary
CVE-2025-66254 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Dbbroadcast Mozart Next 100 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces authentication and authorization requirements to block unauthenticated access to the deleteupgrade parameter in upgrade_contents.php.
Validates the deleteupgrade parameter for proper path sanitization and restrictions to prevent arbitrary file deletions in /var/www/upload/.
Limits privileges of the web application process to reduce the scope and impact of deletable files, including critical system components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated arbitrary file deletion flaw in a public-facing web application (T1190), enabling remote attackers to delete critical files in /var/www/upload/ for high integrity and availability impact (T1107).
NVD Description
Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files. The…
more
`deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.
Deeper analysisAI
CVE-2025-66254 is an unauthenticated arbitrary file deletion vulnerability in the `deleteupgrade` parameter of `/var/www/upgrade_contents.php` within DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices running versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The flaw lacks proper path sanitization or extension restrictions, allowing attackers to delete arbitrary files stored in the `/var/www/upload/` directory, including potentially critical system files. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-73 (External Control of File Name or Path).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted request to the affected endpoint, the attacker can specify any file path within `/var/www/upload/` for deletion, potentially disrupting FM transmitter operations by removing essential configuration files, firmware updates, or other system components. This results in high integrity and availability impacts, though no confidentiality loss.
Advisories are available at https://www.abdulmhsblog.com/posts/webfmvulns/, which detail the vulnerability discovery but do not specify patches or mitigations in the provided information. Security practitioners should monitor for updates from DB Electronica Telecomunicazioni S.p.A. and restrict network access to the web interface.
Details
- CWE(s)