CVE-2025-66262
Published: 26 November 2025
Summary
CVE-2025-66262 is a critical-severity Path Traversal (CWE-22) vulnerability in Dbbroadcast Mozart Next 100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal in tar extraction by requiring validation of user-controlled archive paths before depositing contents to the filesystem root.
Mandates identification, reporting, and correction of the specific flaw in restore_mozzi_memories.sh lacking path validation during tar extraction.
Enforces least privilege on the extraction process to restrict writable directories and limit the impact of arbitrary file overwrites even if path traversal succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file overwrite via unauthenticated remote path traversal in tar extraction on a public-facing web FM transmitter device directly enables exploitation of a public-facing application.
NVD Description
Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary…
more
file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.
Deeper analysisAI
CVE-2025-66262 is an arbitrary file overwrite vulnerability stemming from tar extraction path traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices across versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue resides in the `restore_mozzi_memories.sh` script, which extracts user-controlled tar archives using the `-C /` flag, directing contents to the filesystem root without any path validation. This flaw, classified under CWE-22 and assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), was published on 2025-11-26.
Remote attackers require no privileges or user interaction to exploit this vulnerability, particularly when chained with unauthenticated file upload issues referenced as CVE-01, CVE-06, and CVE-07. By crafting malicious .tgz archives with path-traversed filenames—such as `etc/shadow` or `var/www/index.php`—attackers can overwrite critical system files in writable directories upon extraction. Successful exploitation enables full system compromise, granting attackers high confidentiality, integrity, and availability impacts.
Advisories are detailed in the reference at https://www.abdulmhsblog.com/posts/webfmvulns/, which covers the vulnerability discovery in the context of web FM transmitter flaws.
Details
- CWE(s)