CVE-2025-66263
📋 TL;DR
This vulnerability allows unauthenticated attackers to read arbitrary files on DB Electronica Telecomunicazioni Mozart FM Transmitters by exploiting null byte injection in PHP 5.3.2. Attackers can bypass file extension restrictions and directory traversal protections to access sensitive system files. All Mozart FM Transmitter models running vulnerable PHP versions are affected.
💻 Affected Systems
- DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter
📦 What is this software?
Mozart Dds Next 1000 Firmware by Dbbroadcast
Mozart Dds Next 2000 Firmware by Dbbroadcast
Mozart Dds Next 3000 Firmware by Dbbroadcast
Mozart Dds Next 3500 Firmware by Dbbroadcast
Mozart Dds Next 6000 Firmware by Dbbroadcast
Mozart Dds Next 7000 Firmware by Dbbroadcast
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading of configuration files, passwords, SSH keys, and other sensitive data, potentially leading to full device takeover and lateral movement in the network.
Likely Case
Disclosure of sensitive configuration files, passwords, and system information that could enable further attacks or operational disruption.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and file permission restrictions are in place.
🎯 Exploit Status
Exploitation requires simple HTTP requests with null byte injection in filename parameter. Public technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
1. Contact DB Electronica Telecomunicazioni for official patch. 2. If unavailable, upgrade PHP to version 5.3.4 or later. 3. Apply input validation to download_setting.php.
🔧 Temporary Workarounds
PHP Version Upgrade
linuxUpgrade PHP to version 5.3.4 or later where null byte injection is fixed at the PHP level.
apt-get update && apt-get install php5.3.4
yum update php
Web Application Firewall Rule
allBlock requests containing null bytes or suspicious path traversal patterns.
# Configure WAF to block %00 in URLs and ../ patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FM transmitters from sensitive networks
- Apply file system permissions to restrict web server user access to sensitive directories
🔍 How to Verify
Check if Vulnerable:
Test by sending GET request to /var/tdf/download_setting.php?filename=../../../../etc/passwd%00 and checking if /etc/passwd contents are returned.Check Version:
php -v | grep "PHP 5.3"Verify Fix Applied:
Attempt the same exploit after applying fixes; should receive error or no file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to download_setting.php with %00 in parameters
- Requests containing ../ patterns in filename parameter
Network Indicators:
- Unusual file read patterns from FM transmitter web interface
- GET requests with null byte encoding
SIEM Query:
source="web_logs" AND uri="/var/tdf/download_setting.php" AND (query CONTAINS "%00" OR query CONTAINS "../")