CVE-2025-66251: Critical Vulnerability in DB Electronica Mozart FM Transmitters – Unauthenticated Arbitrary File Deletion

Overview

CVE-2025-66251 describes a critical vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitters (versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000). This vulnerability allows an unauthenticated attacker to perform arbitrary file deletion due to a path traversal issue associated with the `deletehidden` parameter. Specifically, an attacker can manipulate this parameter to delete arbitrary `.tgz` files on the system.

Technical Details

The vulnerability stems from insufficient input validation when handling the `deletehidden` parameter. An attacker can exploit this by crafting a malicious request that includes a path traversal sequence (e.g., `../../`) within the `deletehidden` parameter value. This allows the attacker to bypass intended directory restrictions and target `.tgz` files outside of the permitted directories for deletion. Because no authentication is required, the attack can be carried out remotely without any prior access or credentials.

Example vulnerable request (illustrative):

            GET /some/path?deletehidden=../../../../etc/shadow.tgz HTTP/1.1
            Host: vulnerable-transmitter.example.com
        

Disclaimer: This is a simplified example. The exact request parameters and paths may vary depending on the specific software implementation.

CVSS Analysis

At the time of writing (2024-02-29), a CVSS score is not yet available for CVE-2025-66251. However, given the unauthenticated nature of the vulnerability and the ability to delete arbitrary files, it is highly likely that the CVSS score will be rated as Critical or High. A detailed CVSS breakdown will be provided once available.

Factors contributing to the severity include:

• Unauthenticated Access: No login or credentials are required to exploit the vulnerability.
• Arbitrary File Deletion: The attacker can delete any `.tgz` file on the system, potentially leading to system instability, data loss, and denial of service.
• Path Traversal: The vulnerability allows bypassing intended directory restrictions.

Possible Impact

Successful exploitation of CVE-2025-66251 can have severe consequences, including:

• Denial of Service (DoS): Deleting critical system files can render the FM transmitter unusable.
• Data Loss: Important configuration files, logs, or other data stored as `.tgz` archives can be permanently deleted.
• System Instability: Deleting essential software components can lead to unpredictable system behavior.
• Potential for Further Attacks: Depending on the files deleted and their importance, the attacker may be able to leverage the initial compromise to gain further access or control over the system.

Mitigation and Patch Steps

The primary mitigation strategy is to apply the official patch released by DB Electronica Telecomunicazioni S.p.A. as soon as it becomes available. Contact DB Electronica support for information about obtaining the patch. In the meantime, consider the following temporary workarounds:

• Implement Network Segmentation: Isolate the FM transmitter on a separate network segment to limit the potential impact of a successful attack.
• Restrict Access: Implement access control lists (ACLs) or firewall rules to limit access to the FM transmitter’s management interface to only authorized IP addresses.
• Monitor Network Traffic: Implement intrusion detection systems (IDS) or intrusion prevention systems (IPS) to detect and block suspicious requests targeting the FM transmitter. Pay close attention to requests containing path traversal sequences or attempting to access sensitive files.

Note: These are temporary workarounds and should not be considered a substitute for applying the official patch.