CVE-2025-66251
📋 TL;DR
This vulnerability allows unauthenticated attackers to delete arbitrary .tgz files via path traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitters. Attackers can exploit the deletehidden parameter to traverse directories and delete critical system files. All Mozart FM Transmitter models (30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000) are affected.
💻 Affected Systems
- DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter
📦 What is this software?
Mozart Dds Next 1000 Firmware by Dbbroadcast
Mozart Dds Next 2000 Firmware by Dbbroadcast
Mozart Dds Next 3000 Firmware by Dbbroadcast
Mozart Dds Next 3500 Firmware by Dbbroadcast
Mozart Dds Next 6000 Firmware by Dbbroadcast
Mozart Dds Next 7000 Firmware by Dbbroadcast
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, configuration files, or firmware packages, potentially causing permanent device damage or service disruption.
Likely Case
Service disruption by deleting configuration files, backup archives, or firmware packages, requiring manual restoration or device replacement.
If Mitigated
Limited impact if proper network segmentation and file permission controls prevent access to critical system directories.
🎯 Exploit Status
The vulnerability requires no authentication and has simple exploitation via HTTP requests with path traversal in the deletehidden parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
No official patch available. Contact vendor DB Electronica Telecomunicazioni S.p.A. for security updates and patching guidance.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Mozart FM Transmitters from untrusted networks and restrict access to management interfaces.
Web Application Firewall Rules
allBlock requests containing path traversal sequences (../, ..\, etc.) in the deletehidden parameter.
🧯 If You Can't Patch
- Implement strict network access controls to limit device exposure to trusted IP addresses only.
- Monitor and alert on any attempts to access the vulnerable endpoint or use path traversal patterns in HTTP requests.
🔍 How to Verify
Check if Vulnerable:
Test by sending HTTP requests with path traversal in deletehidden parameter to the device's web interface and checking for file deletion.Check Version:
Check device web interface or contact vendor for version information.Verify Fix Applied:
Verify that path traversal attempts no longer result in file deletion and that the deletehidden parameter is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'deletehidden' parameter with '../' or similar traversal sequences
- Unexpected file deletion events in system logs
Network Indicators:
- HTTP POST/GET requests to device management interface with suspicious parameters
- Traffic patterns indicating file deletion attempts
SIEM Query:
http.url:*deletehidden* AND (http.uri:*../* OR http.uri:*..\*)