CVE-2025-63228

CVE-2025-63228 is an unauthenticated file upload vulnerability in the web management interface of the Mozart FM Transmitter, specifically version WEBMOZZI-00287. The flaw resides in the /upload_file.php endpoint, which fails to properly validate or restrict uploaded files, allowing malicious payloads such as PHP webshells to be processed and stored in the /upload/ directory. This issue, published on 2025-11-18, is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

An unauthenticated attacker with network access to the affected interface can exploit the vulnerability by sending a crafted POST request containing a malicious file to the /upload_file.php endpoint. Successful exploitation stores the file in the /upload/ directory, enabling remote code execution on the server and potentially leading to full system compromise, including unauthorized access to sensitive data and control over the device.

Mitigation details and further analysis are available in the referenced resources, including a research repository with proof-of-concept at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63228_Mozart_FM_Transmitter_Unauthenticated_File_Upload and the vendor site at https://www.dbbroadcast.com/. Security practitioners should review these for patch availability or workarounds specific to the Mozart FM Transmitter.