CVE-2025-63227
📋 TL;DR
This vulnerability allows authenticated attackers with administrative credentials to upload arbitrary files to the Mozart FM Transmitter web management interface. The uploaded files can be executed on the server, potentially leading to remote code execution and full system compromise. Organizations using the affected version of Mozart FM Transmitter are at risk.
💻 Affected Systems
- Mozart FM Transmitter
📦 What is this software?
Mozart Dds Next 1000 Firmware by Dbbroadcast
Mozart Dds Next 2000 Firmware by Dbbroadcast
Mozart Dds Next 3000 Firmware by Dbbroadcast
Mozart Dds Next 3500 Firmware by Dbbroadcast
Mozart Dds Next 6000 Firmware by Dbbroadcast
Mozart Dds Next 7000 Firmware by Dbbroadcast
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining persistent access, data exfiltration, and use of the system as a pivot point into the network.
Likely Case
Webshell deployment leading to command execution, data theft, and potential lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent attacker from reaching the management interface.
🎯 Exploit Status
Exploitation requires administrative credentials but is straightforward once credentials are obtained. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.dbbroadcast.com/
Restart Required: No
Instructions:
Check vendor website for security updates. If no patch is available, implement workarounds immediately.
🔧 Temporary Workarounds
Restrict Access to Management Interface
linuxBlock external access to the web management interface using firewall rules.
iptables -A INPUT -p tcp --dport [management_port] -j DROP
Disable /patch.php Endpoint
allRemove or rename the vulnerable patch.php file to prevent file uploads.
mv /path/to/patch.php /path/to/patch.php.disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the FM transmitter from critical systems
- Enforce strong password policies and multi-factor authentication for administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check if patch.php exists in the web root and if version is WEBMOZZI-00287Check Version:
Check web interface or device documentation for version informationVerify Fix Applied:
Verify patch.php is removed/disabled and test file upload functionality is blocked📡 Detection & Monitoring
Log Indicators:
- File uploads to /patch.php
- Unusual file creations in /patch/ directory
- POST requests to patch.php with file uploads
Network Indicators:
- HTTP POST requests to /patch.php with file upload content
- Unusual outbound connections from the FM transmitter
SIEM Query:
source="web_logs" AND (uri="/patch.php" OR method="POST" AND uri CONTAINS "patch")