CVE-2025-66262

CRITICAL

DB Electronica Mozart FM Transmitter - Path Traversal via Tar Extraction

Title source: llm

Description

Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit technical-description

https://www.abdulmhsblog.com/posts/webfmvulns/

Scores

CVSS v3 9.8

EPSS 0.0120

EPSS Percentile 64.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (22)

dbbroadcast/mozart_dds_next_1000_firmware

dbbroadcast/mozart_dds_next_100_firmware

dbbroadcast/mozart_dds_next_2000_firmware

dbbroadcast/mozart_dds_next_3000_firmware

dbbroadcast/mozart_dds_next_300_firmware

dbbroadcast/mozart_dds_next_30_firmware

dbbroadcast/mozart_dds_next_3500_firmware

dbbroadcast/mozart_dds_next_500_firmware

dbbroadcast/mozart_dds_next_50_firmware

dbbroadcast/mozart_dds_next_6000_firmware

... and 12 more

Published Nov 26, 2025

Tracked Since Feb 18, 2026