CVE-2025-66256
Published: 26 November 2025
Summary
CVE-2025-66256 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Dbbroadcast Mozart Next 100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of file type validation, MIME checking, and content restrictions in the patch_contents.php endpoint by implementing input validation mechanisms to block malicious file uploads.
Specifies and authorizes only safe actions without identification or authentication, explicitly prohibiting unauthenticated arbitrary file uploads via the vulnerable endpoint.
Establishes processes to identify, report, and remediate the specific flaw in patch_contents.php, preventing exploitation through timely patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload in public-facing PHP endpoint enables exploitation of public-facing application (T1190), ingress of tools/malware (T1105), and deployment of web shells for RCE/persistence (T1505.003).
NVD Description
Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The…
more
`/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.
Deeper analysisAI
CVE-2025-66256 is an unauthenticated arbitrary file upload vulnerability in the patch_contents.php component of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices, affecting versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The vulnerable endpoint at /var/tdf/patch_contents.php allows unauthenticated users to upload arbitrary files without file type validation, MIME checking, or size restrictions beyond 16MB. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Attackers with network access can exploit this vulnerability without authentication by sending HTTP requests to the patch_contents.php endpoint with malicious payloads, such as webshells or executable files. Successful exploitation enables arbitrary file uploads, potentially leading to remote code execution, unauthorized access to sensitive data, system file modification, or denial-of-service conditions, with high impacts on confidentiality, integrity, and availability.
Advisories referenced in the CVE point to https://www.abdulmhsblog.com/posts/webfmvulns/ for further details, though specific patch or mitigation guidance is not detailed in the CVE description.
Details
- CWE(s)