CVE-2025-66257

Q: What is the severity of CVE-2025-66257?

CVE-2025-66257 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows unauthenticated attackers to delete arbitrary files in the /var/www/patch/ directory of Mozart FM Transmitter devices. Attackers can exploit the deletepatch parameter in patch_contents.php without any authentication or access controls. All Mozart FM Transmitter models (30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000) are affected.

9.1 CRITICAL

📋 TL;DR

This vulnerability allows unauthenticated attackers to delete arbitrary files in the /var/www/patch/ directory of Mozart FM Transmitter devices. Attackers can exploit the deletepatch parameter in patch_contents.php without any authentication or access controls. All Mozart FM Transmitter models (30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000) are affected.

💻 Affected Systems

Products:

DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter

Versions: All versions (30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000)

Operating Systems: Embedded Linux (presumed)

Default Config Vulnerable: ⚠️ Yes

Notes: All models with the patch_contents.php endpoint are vulnerable by default. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, rendering the device inoperable or enabling further attacks by removing security controls.

🟠

Likely Case

Service disruption by deleting configuration or operational files, potentially causing FM transmission outages or device malfunction.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and allows arbitrary file deletion, making internet-facing devices extremely vulnerable to disruption attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this to disrupt operations, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit - attackers simply need to send a crafted HTTP request with the deletepatch parameter pointing to target files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Contact DB Electronica Telecomunicazioni S.p.A. for security updates and patch availability.

🔧 Temporary Workarounds

Remove or Restrict Access to patch_contents.php

linux

Delete or rename the vulnerable patch_contents.php file to prevent exploitation.

mv /var/www/patch/patch_contents.php /var/www/patch/patch_contents.php.disabled

Implement Web Server Access Controls

linux

Configure web server (Apache/Nginx) to block access to the patch_contents.php endpoint.

# Apache: Add to .htaccess or virtual host config
<Files "patch_contents.php">
    Order Deny,Allow
    Deny from all
</Files>
# Nginx: Add to server block
location ~ /patch_contents\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Implement strict network segmentation to isolate FM transmitters from untrusted networks
Deploy a web application firewall (WAF) with rules to block requests containing 'deletepatch' parameter

🔍 How to Verify

Check if Vulnerable:

Check if /var/www/patch/patch_contents.php exists and contains the deletepatch parameter without authentication checks. Test with: curl -X POST 'http://device-ip/patch/patch_contents.php' --data 'deletepatch=test.txt'

Check Version:

Check device web interface or contact vendor for version information

Verify Fix Applied:

Verify patch_contents.php is removed/renamed or returns 403/404. Test exploitation attempts fail.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /patch/patch_contents.php
Log entries showing file deletion in /var/www/patch/ directory
Web server error logs showing 403/404 for patch_contents.php after remediation

Network Indicators:

HTTP POST requests containing 'deletepatch' parameter
Unusual traffic to FM transmitter web interfaces from external IPs

SIEM Query:

source="web_server_logs" AND (uri="/patch/patch_contents.php" OR uri="/patch_contents.php") AND method="POST" AND (param="deletepatch" OR body CONTAINS "deletepatch")

📊 Metadata

CVE ID: CVE-2025-66257

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-73

EPSS Score: 0.12% exploit probability (31.8th percentile)

Published: November 26, 2025

Last Updated: December 3, 2025

🔗 References

https://www.abdulmhsblog.com/posts/webfmvulns/ Exploit,Third Party Advisory
https://www.abdulmhsblog.com/posts/webfmvulns/ Exploit,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mozart Dds Next 100 Firmware by Dbbroadcast

Mozart Dds Next 1000 Firmware by Dbbroadcast

Mozart Dds Next 2000 Firmware by Dbbroadcast

Mozart Dds Next 30 Firmware by Dbbroadcast

Mozart Dds Next 300 Firmware by Dbbroadcast

Mozart Dds Next 3000 Firmware by Dbbroadcast

Mozart Dds Next 3500 Firmware by Dbbroadcast

Mozart Dds Next 50 Firmware by Dbbroadcast

Mozart Dds Next 500 Firmware by Dbbroadcast

Mozart Dds Next 6000 Firmware by Dbbroadcast

Mozart Dds Next 7000 Firmware by Dbbroadcast

Mozart Next 100 Firmware by Dbbroadcast

Mozart Next 1000 Firmware by Dbbroadcast

Mozart Next 2000 Firmware by Dbbroadcast

Mozart Next 30 Firmware by Dbbroadcast

Mozart Next 300 Firmware by Dbbroadcast

Mozart Next 3000 Firmware by Dbbroadcast

Mozart Next 3500 Firmware by Dbbroadcast

Mozart Next 50 Firmware by Dbbroadcast

Mozart Next 500 Firmware by Dbbroadcast

Mozart Next 6000 Firmware by Dbbroadcast

Mozart Next 7000 Firmware by Dbbroadcast