Cybersecurity Vulnerabilities

Critical Vulnerability: Unauthenticated File Deletion in DB Elettronica Mozart FM Transmitters (CVE-2025-66254)

November 26, 2025 - By 

Overview

CVE-2025-66254 identifies a critical unauthenticated arbitrary file deletion vulnerability affecting DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. This vulnerability allows attackers to delete arbitrary files on the system without requiring any authentication. This poses a significant risk to the integrity and availability of the affected devices.

Technical Details

The vulnerability lies in the upgrade_contents.php script located at /var/www/upgrade_contents.php. The deleteupgrade parameter is used to specify the file to be deleted. However, the script lacks proper authentication and input sanitization, allowing an attacker to manipulate the deleteupgrade parameter to delete any file within the /var/www/upload/ directory. Crucially, there are no restrictions on the file extension or path sanitization implemented, which significantly widens the attack surface.

An attacker can exploit this vulnerability by crafting a malicious HTTP request to the upgrade_contents.php script with the deleteupgrade parameter set to the path of the file they wish to delete. For example:


            GET /upgrade_contents.php?deleteupgrade=important_system_file.txt HTTP/1.1
            Host: vulnerable-transmitter

This would delete /var/www/upload/important_system_file.txt, assuming it exists.

CVSS Analysis

Due to the nature of the vulnerability, a proper CVSS score is needed to properly assess its danger. Since the information has not been properly assessed a CVSS score has not been provided.

Possible Impact

The impact of this vulnerability is severe. An attacker could:

  • Delete critical system files, rendering the FM transmitter unusable.
  • Remove configuration files, leading to misconfiguration or malfunction of the device.
  • Disrupt broadcasting services, causing significant downtime and financial losses.
  • Delete uploaded firmware files, preventing legitimate upgrades.

Mitigation and Patch Steps

The following mitigation steps are recommended:

  • Apply the official patch: Contact DB Elettronica to obtain and apply the latest security patch for your specific Mozart FM Transmitter model.
  • Implement Authentication: Require authentication for accessing the upgrade_contents.php script. Only authorized users should be able to access this functionality.
  • Input Sanitization: Implement robust input sanitization on the deleteupgrade parameter. Verify that the input is a valid file name and that the path is within the allowed /var/www/upload/ directory. Prevent path traversal attempts (e.g., “..” sequences).
  • Principle of Least Privilege: Ensure that the web server process runs with the minimal necessary privileges.
  • Network Segmentation: Isolate the FM transmitter on a separate network segment to limit the potential impact of a compromise.
  • Web Application Firewall (WAF): Implement a Web Application Firewall to detect and block malicious requests targeting the upgrade_contents.php script.

References

Abdulmhsblog.com – Web FM Vulnerabilities

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *