CVE-2025-66250
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to DB Electronica Telecomunicazioni's Mozart FM Transmitter devices via the status_contents.php endpoint. Attackers can potentially execute malicious code, compromise the device, or pivot to internal networks. All Mozart FM Transmitter models running affected firmware versions are vulnerable.
💻 Affected Systems
- DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter
📦 What is this software?
Mozart Dds Next 1000 Firmware by Dbbroadcast
Mozart Dds Next 2000 Firmware by Dbbroadcast
Mozart Dds Next 3000 Firmware by Dbbroadcast
Mozart Dds Next 3500 Firmware by Dbbroadcast
Mozart Dds Next 6000 Firmware by Dbbroadcast
Mozart Dds Next 7000 Firmware by Dbbroadcast
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to remote code execution, lateral movement into internal networks, disruption of broadcast operations, and data exfiltration.
Likely Case
Attackers upload web shells or malware to gain persistent access, modify device configurations, disrupt FM transmission, or use the device as a foothold for further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to the isolated device, preventing lateral movement and reducing operational disruption.
🎯 Exploit Status
The vulnerability requires no authentication and simple HTTP POST requests. Public blog post demonstrates exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check vendor website for security updates. If no patch is available, implement workarounds immediately.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
linuxUse web server configuration or firewall rules to block access to /var/tdf/status_contents.php
iptables -A INPUT -p tcp --dport 80 -m string --string "/var/tdf/status_contents.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/var/tdf/status_contents.php" --algo bm -j DROP
Restrict web interface access
linuxConfigure firewall to only allow web interface access from trusted management networks
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Isolate vulnerable devices in separate VLAN with strict firewall rules preventing outbound connections
- Implement network monitoring for unusual file upload patterns to the web interface
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a test file via POST request to http://device_ip/var/tdf/status_contents.php with multipart form dataCheck Version:
Check web interface login page or system information page for firmware versionVerify Fix Applied:
Test that file upload attempts to the vulnerable endpoint are blocked or return appropriate error responses📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /var/tdf/status_contents.php
- Unusual file creation in web directories
- Multiple failed upload attempts from single IP
Network Indicators:
- HTTP traffic to port 80/443 with POST requests containing file upload patterns
- Unusual outbound connections from FM transmitter devices
SIEM Query:
source="web_logs" AND (uri="/var/tdf/status_contents.php" OR method="POST" AND uri CONTAINS "status_contents")