CVE-2025-66263
published 2025-11-26CVE-2025-66263: Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.34%
26.2th percentile
Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.
The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
| db_electronica_telecomunicazioni_s.p.a | mozart_fm_transmitter | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-26
Published