CVE-2025-66259
Published: 26 November 2025
Summary
CVE-2025-66259 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Dbbroadcast Mozart Next 100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the command injection vulnerability by enforcing input validation mechanisms on user-supplied hour/time data before passing it to the 'date' shell command in main_ok.php.
Ensures timely identification, reporting, and correction of the specific flaw in main_ok.php that passes unfiltered user input to shell commands.
Enables monitoring of the system to identify anomalous executions of the 'date' command indicative of exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing web application (T1190) via command injection into Linux Unix Shell (T1059.004), granting root RCE.
NVD Description
Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time…
more
is passed directly into date shell command
Deeper analysisAI
CVE-2025-66259 is a remote code execution vulnerability stemming from improper input validation (CWE-20) in the main_ok.php component of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices. It affects versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue arises when user-supplied data for hour/time parameters is passed directly to the Linux 'date' shell command without filtering, enabling command injection. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
A remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Although the description specifies an authenticated attack, the CVSS privileges required (PR:N) metric suggests it may be exploitable without authentication. Successful exploitation grants root-level code execution on the device, allowing full control with high impacts on confidentiality, integrity, and availability.
The sole reference points to a blog post at https://www.abdulmhsblog.com/posts/webfmvulns/, which documents the web FM vulnerabilities but provides no details on patches, vendor advisories, or specific mitigations in the available CVE information. Security practitioners should isolate affected devices, monitor for anomalous 'date' command usage, and contact the vendor for updates.
Details
- CWE(s)