CVE-2025-66257
Published: 26 November 2025
Summary
CVE-2025-66257 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Dbbroadcast Mozart Next 100 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the patch_contents.php delete function, directly addressing the lack of access control checks allowing unauthenticated arbitrary file deletion.
Requires validation of the deletepatch parameter to prevent external control of file names or paths in the /var/www/patch/ directory.
Limits permitted actions without identification or authentication, preventing unauthenticated file deletion via the exposed web endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing web application (patch_contents.php) enables arbitrary file deletion in /var/www/patch/, disrupting services and causing outages.
NVD Description
Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The…
more
`deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.
Deeper analysisAI
CVE-2025-66257 is an unauthenticated arbitrary file deletion vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices in versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue resides in the `patch_contents.php` script, where the `deletepatch` parameter enables attackers to delete arbitrary files within the `/var/www/patch/` directory. This occurs without any sanitization or access control checks, stemming from CWE-73 (External Control of File Name or Path). The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to high impact on integrity and availability.
Any unauthenticated attacker with network access to the affected device can exploit this vulnerability remotely with low complexity and no user interaction required. By sending a crafted request to `patch_contents.php` manipulating the `deletepatch` parameter, the attacker can specify and delete any file in the `/var/www/patch/` directory, potentially disrupting firmware patching processes, corrupting update files, or causing service outages on the FM transmitter.
Advisories detailing the vulnerability are available at https://www.abdulmhsblog.com/posts/webfmvulns/, which researchers should consult for specific mitigation guidance or patches, as no additional details on fixes are provided in the CVE record. The vulnerability was published on 2025-11-26.
Details
- CWE(s)