CVE-2025-63229
📋 TL;DR
This reflected XSS vulnerability in the Mozart FM Transmitter web interface allows attackers to inject malicious JavaScript via the ?m= parameter in /main0.php. When victims visit a crafted URL, attackers can execute arbitrary code in their browsers, potentially compromising sensitive data or sessions. Only users of Mozart FM Transmitter version WEBMOZZI-00287 with the web interface enabled are affected.
💻 Affected Systems
- Mozart FM Transmitter
📦 What is this software?
Mozart Dds Next 1000 Firmware by Dbbroadcast
Mozart Dds Next 2000 Firmware by Dbbroadcast
Mozart Dds Next 3000 Firmware by Dbbroadcast
Mozart Dds Next 3500 Firmware by Dbbroadcast
Mozart Dds Next 6000 Firmware by Dbbroadcast
Mozart Dds Next 7000 Firmware by Dbbroadcast
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator credentials, hijacks sessions, performs unauthorized configuration changes, or deploys malware to connected systems.
Likely Case
Attacker steals session cookies or authentication tokens to gain unauthorized access to the management interface.
If Mitigated
With proper input validation and output encoding, the vulnerability is eliminated; with network segmentation, impact is limited to the device itself.
🎯 Exploit Status
Exploitation requires victim interaction with a malicious link; no authentication needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.dbbroadcast.com/
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. If patch available, download and apply per vendor instructions. 3. Verify fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize the ?m= parameter, allowing only expected values.
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads targeting /main0.php.
🧯 If You Can't Patch
- Disable the web management interface if not required.
- Restrict network access to the management interface using firewall rules to trusted IPs only.
🔍 How to Verify
Check if Vulnerable:
Access /main0.php?m=<script>alert('XSS')</script> in a browser; if JavaScript executes, the system is vulnerable.Check Version:
Check the web interface login page or system info page for version WEBMOZZI-00287.Verify Fix Applied:
Repeat the vulnerable test; if no JavaScript executes and input is sanitized, the fix is effective.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /main0.php with suspicious ?m= parameter values containing script tags or JavaScript code.
Network Indicators:
- Unusual traffic patterns to /main0.php from external sources, especially with encoded payloads.
SIEM Query:
source="web_logs" AND uri_path="/main0.php" AND query_string="*script*"