CVE-2025-66254

Q: What is the severity of CVE-2025-66254?

CVE-2025-66254 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows unauthenticated attackers to delete arbitrary files from the /var/www/upload/ directory on affected Mozart FM Transmitters. Attackers can exploit the deleteupgrade parameter in upgrade_contents.php without any authentication, potentially removing critical system files. All users of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 are affected.

9.1 CRITICAL

📋 TL;DR

This vulnerability allows unauthenticated attackers to delete arbitrary files from the /var/www/upload/ directory on affected Mozart FM Transmitters. Attackers can exploit the deleteupgrade parameter in upgrade_contents.php without any authentication, potentially removing critical system files. All users of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 are affected.

💻 Affected Systems

Products:

DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter

Versions: Versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000

Operating Systems: Embedded Linux (assumed based on file paths)

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with the vulnerable upgrade_contents.php file are affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, causing device bricking, service disruption, or enabling further attacks by removing security controls.

🟠

Likely Case

Service disruption through deletion of configuration files, web application files, or uploaded content, leading to downtime and operational impact.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation, though internal threats remain.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and affects web-accessible endpoints, making internet-facing devices extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, the lack of authentication allows any network user to exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required. No authentication needed. Weaponization is likely due to low complexity and high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Contact vendor for updates. Consider implementing workarounds immediately.

🔧 Temporary Workarounds

Remove or Restrict Access to upgrade_contents.php

linux

Delete or move the vulnerable file, or implement strict access controls.

mv /var/www/upgrade_contents.php /var/www/upgrade_contents.php.disabled
chmod 000 /var/www/upgrade_contents.php

Implement Web Application Firewall Rules

all

Block requests containing deleteupgrade parameter or targeting upgrade_contents.php.

🧯 If You Can't Patch

Isolate affected devices in a separate network segment with strict firewall rules blocking external access.
Implement monitoring and alerting for file deletion attempts in /var/www/upload/ directory.

🔍 How to Verify

Check if Vulnerable:

Check if /var/www/upgrade_contents.php exists and contains deleteupgrade parameter handling without authentication. Test with controlled file deletion attempt.

Check Version:

Check device web interface or system documentation for model/version information.

Verify Fix Applied:

Verify upgrade_contents.php is removed, disabled, or patched. Test that file deletion via deleteupgrade parameter no longer works.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to upgrade_contents.php with deleteupgrade parameter
File deletion events in /var/www/upload/ directory

Network Indicators:

HTTP POST/GET requests containing deleteupgrade parameter
Unusual traffic patterns to the device's web interface

SIEM Query:

source="web_logs" AND uri="/upgrade_contents.php" AND (param="deleteupgrade" OR body CONTAINS "deleteupgrade")

📊 Metadata

CVE ID: CVE-2025-66254

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-73

EPSS Score: 0.12% exploit probability (31.8th percentile)

Published: November 26, 2025

Last Updated: December 3, 2025

🔗 References

https://www.abdulmhsblog.com/posts/webfmvulns/ Exploit,Third Party Advisory
https://www.abdulmhsblog.com/posts/webfmvulns/ Exploit,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mozart Dds Next 100 Firmware by Dbbroadcast

Mozart Dds Next 1000 Firmware by Dbbroadcast

Mozart Dds Next 2000 Firmware by Dbbroadcast

Mozart Dds Next 30 Firmware by Dbbroadcast

Mozart Dds Next 300 Firmware by Dbbroadcast

Mozart Dds Next 3000 Firmware by Dbbroadcast

Mozart Dds Next 3500 Firmware by Dbbroadcast

Mozart Dds Next 50 Firmware by Dbbroadcast

Mozart Dds Next 500 Firmware by Dbbroadcast

Mozart Dds Next 6000 Firmware by Dbbroadcast

Mozart Dds Next 7000 Firmware by Dbbroadcast

Mozart Next 100 Firmware by Dbbroadcast

Mozart Next 1000 Firmware by Dbbroadcast

Mozart Next 2000 Firmware by Dbbroadcast

Mozart Next 30 Firmware by Dbbroadcast

Mozart Next 300 Firmware by Dbbroadcast

Mozart Next 3000 Firmware by Dbbroadcast

Mozart Next 3500 Firmware by Dbbroadcast

Mozart Next 50 Firmware by Dbbroadcast

Mozart Next 500 Firmware by Dbbroadcast

Mozart Next 6000 Firmware by Dbbroadcast

Mozart Next 7000 Firmware by Dbbroadcast