Overview
CVE-2025-66257 describes a critical security vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitters. Specifically, versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 are susceptible to an unauthenticated arbitrary file deletion vulnerability. This allows a remote attacker to delete arbitrary files on the device without requiring any authentication.
Technical Details
The vulnerability resides in the `patch_contents.php` script. The `deletepatch` parameter within this script is not properly sanitized and lacks access control checks. This means that a malicious actor can craft a request containing a path to a file within the `/var/www/patch/` directory and have it deleted. The lack of authentication makes this vulnerability exceptionally dangerous as anyone with network access to the device can exploit it.
Exploitation is relatively straightforward. An attacker simply needs to send an HTTP request to `patch_contents.php` with the `deletepatch` parameter set to the path of the file they wish to delete. For example:
GET /patch_contents.php?deletepatch=../../../../../../etc/passwd HTTP/1.1
Host: [target_ip]
Note that the example demonstrates directory traversal, which may be required to reach files outside of the intended patch directory, if any protections are in place.
CVSS Analysis
Currently, a CVSS score is not available (N/A). However, due to the unauthenticated nature and the ability to delete arbitrary files, the severity is expected to be critical. A successful exploit could lead to significant disruption of service, data loss, or even complete system compromise. A high CVSS score reflecting the severe impact is anticipated upon official assessment. The CVSS vector will likely include AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Network, Low complexity, No privileges, No user interaction, Unchanged scope, High Confidentiality Impact, High Integrity Impact, High Availability Impact). This assumes that the files deleted are critical for system operation.
Possible Impact
The consequences of exploiting this vulnerability can be severe, including:
- Denial of Service (DoS): Deleting critical system files can render the FM transmitter inoperable.
- Data Loss: Deletion of configuration files or other important data.
- System Compromise: While direct system compromise may not be immediately apparent, deleting specific files could create pathways for further exploitation.
Mitigation and Patch Steps
The primary mitigation strategy is to apply the security patch released by DB Electronica Telecomunicazioni S.p.A. If a patch is not yet available, consider the following temporary workarounds:
- Restrict Network Access: Limit access to the FM transmitter’s web interface to trusted networks or IP addresses only.
- Web Application Firewall (WAF): Implement a WAF to filter out malicious requests targeting the `patch_contents.php` script. Specifically, block requests containing directory traversal attempts or known malicious payloads in the `deletepatch` parameter.
- Disable `patch_contents.php` (If Possible): If the functionality provided by `patch_contents.php` is not essential, consider disabling the script altogether. This should only be done if the consequences are fully understood and acceptable.
Most importantly, monitor DB Electronica’s website for the release of an official patch and apply it immediately.
