CVE-2025-66255
published 2025-11-26CVE-2025-66255: Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.33%
24.9th percentile
Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.
The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-26
Published