CVE-2025-66257

CRITICAL

DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter - Pat...

Title source: llm

Description

Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.

References (1)

[Exploit, Third Party Advisory] https://www.abdulmhsblog.com/posts/webfmvulns/

Scores

CVSS v3 9.1

EPSS 0.0009

EPSS Percentile 25.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-73

Status published

Products (22)

dbbroadcast/mozart_dds_next_1000_firmware

dbbroadcast/mozart_dds_next_100_firmware

dbbroadcast/mozart_dds_next_2000_firmware

dbbroadcast/mozart_dds_next_3000_firmware

dbbroadcast/mozart_dds_next_300_firmware

dbbroadcast/mozart_dds_next_30_firmware

dbbroadcast/mozart_dds_next_3500_firmware

dbbroadcast/mozart_dds_next_500_firmware

dbbroadcast/mozart_dds_next_50_firmware

dbbroadcast/mozart_dds_next_6000_firmware

... and 12 more

Published Nov 26, 2025

Tracked Since Feb 18, 2026