Overview CVE-2025-66265 describes a critical privilege escalation vulnerability affecting CMService.exe. This vulnerability arises from the creation of the C:\usr directory and its subdirectories with overly permissive permissions, specifically granting write access to all authenticated users. This flaw allows malicious actors with standard user accounts to potentially overwrite critical configuration files or inject malicious DLLs, ultimately leading to privilege escalation and system compromise. Technical Details The root cause of CVE-2025-66265 lies in the insecure default permissions assigned to the C:\usr directory and its subdirectories when created by CMService.exe. Authenticated users, even those with low privileges, can modify files within these directories.…

Overview CVE-2025-66264 describes a critical vulnerability found in the CMService.exe service. This service, which runs with SYSTEM privileges, contains an unquoted service path. This flaw allows a local attacker with write access to the filesystem to potentially escalate their privileges to SYSTEM by injecting a malicious executable into a directory within the service’s path. Technical Details The vulnerability stems from the way the Windows operating system parses service paths that lack quotation marks. When a service path is not enclosed in quotes, Windows attempts to execute each space-separated segment of the path as a separate executable. For example, if the…

Overview CVE-2025-66263 is a security vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000. This vulnerability allows an unauthenticated attacker to read arbitrary files on the system due to a null byte injection flaw in the download_setting.php endpoint. Technical Details The vulnerability lies in the /var/tdf/download_setting.php endpoint, which is intended for downloading configuration settings. This endpoint constructs file paths by concatenating a user-controlled $_GET['filename'] parameter with the .tgz extension. Due to the application running on PHP 5.3.2 (pre-5.3.4), it is susceptible to null byte injection. By injecting a…

Overview CVE-2025-66262 is a critical vulnerability affecting DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitters. This vulnerability allows an attacker to overwrite arbitrary files on the system due to improper handling of Tar archive extraction. Specifically, the restore_mozzi_memories.sh script uses the -C / flag during Tar extraction without proper path validation, leading to a path traversal vulnerability. Technical Details The core of the vulnerability lies in the restore_mozzi_memories.sh script. This script extracts user-controlled Tar archives using the command tar -xzf [archive_name] -C /. The -C / option instructs Tar to change the directory to the root directory (/) before extracting files.…

Overview CVE-2025-66261 details a critical unauthenticated OS command injection vulnerability found in DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. This vulnerability allows an attacker to execute arbitrary commands on the underlying operating system without authentication, potentially leading to complete system compromise. Technical Details The vulnerability resides in the /var/tdf/restore_settings.php endpoint. The application improperly handles the name parameter passed via the $_GET array. Specifically, the value of the name parameter is processed through the urldecode() function and then directly passed to the exec() function without any validation or…

Overview CVE-2025-66260 details a critical SQL injection vulnerability found in DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitters. Specifically, versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 are affected. The vulnerability resides within the `status_sql.php` endpoint, potentially allowing attackers to execute arbitrary SQL commands on the underlying PostgreSQL database. Technical Details The vulnerability stems from the `status_sql.php` endpoint’s improper handling of user-supplied input. The script constructs SQL `UPDATE` queries by directly concatenating the values of the `sw1` and `sw2` parameters without proper sanitization or the use of parameterized queries. Crucially, the code fails to use functions…

Overview CVE-2025-66259 details a critical remote code execution (RCE) vulnerability affecting DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitters. The vulnerability allows an authenticated attacker with administrative privileges to execute arbitrary code with root privileges on the affected device. This is due to insufficient user input validation within the main_ok.php script. Affected versions include 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. Technical Details The vulnerability stems from the main_ok.php script, where user-supplied data related to date and time settings (data, hour, time) is passed directly into the date shell command without proper sanitization. This lack of…

Overview CVE-2025-66258 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitters. Specifically, versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 are susceptible. This vulnerability allows an attacker to inject malicious JavaScript code into the system, potentially leading to unauthorized actions, data theft, or service disruption. Technical Details The vulnerability stems from improper handling of filenames within the patchlist.xml file. User-controlled filenames are directly concatenated into this XML file without adequate encoding or sanitization. An attacker can exploit this by crafting filenames containing malicious JavaScript payloads (e.g., <img src=x onerror=alert()>.bin). When…

Overview CVE-2025-66257 describes a critical security vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitters. Specifically, versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 are susceptible to an unauthenticated arbitrary file deletion vulnerability. This allows a remote attacker to delete arbitrary files on the device without requiring any authentication. Technical Details The vulnerability resides in the `patch_contents.php` script. The `deletepatch` parameter within this script is not properly sanitized and lacks access control checks. This means that a malicious actor can craft a request containing a path to a file within the `/var/www/patch/` directory and have…

Overview CVE-2025-66256 is a critical security vulnerability affecting DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. This vulnerability allows an unauthenticated attacker to upload arbitrary files to the system, potentially leading to remote code execution, system compromise, and other severe consequences. Technical Details The vulnerability resides in the /var/tdf/patch_contents.php endpoint. This endpoint lacks proper authentication and authorization mechanisms, allowing anyone with network access to the device to upload files. Furthermore, the endpoint does not implement adequate file type validation, MIME type checking, or file size restrictions (beyond a…