Cyber Posture

CVE-2025-66251

CriticalPublic PoC

Published: 26 November 2025

Published
26 November 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0050 66.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of…

more

arbitrary .tgz files.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates the deletehidden parameter to block path traversal sequences, preventing arbitrary .tgz file deletion.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Prohibits unauthenticated actions like file deletion via the deletehidden parameter, requiring identification and authentication for sensitive operations.

AC-3 Access Enforcement good match
prevent

Enforces approved access authorizations to system resources, preventing unauthorized path traversal and file deletion beyond restricted directories.

Security SummaryAI

CVE-2025-66251 is an unauthenticated path traversal vulnerability enabling arbitrary file deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices across versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue stems from the deletehidden parameter, which permits path traversal attacks to delete arbitrary .tgz files. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability was published on 2025-11-26.

An unauthenticated attacker with network access to an affected device can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves manipulating the deletehidden parameter to traverse directories and target .tgz files for deletion, potentially disrupting device operations by causing high integrity and availability impacts, such as service denial or configuration loss.

Details on mitigation, including any patches or workarounds, are available in the referenced advisory at https://www.abdulmhsblog.com/posts/webfmvulns/.

Details

CWE(s)
CWE-22

Affected Products

dbbroadcast
mozart next 100 firmware
all versions
dbbroadcast
mozart next 1000 firmware
all versions
dbbroadcast
mozart next 2000 firmware
all versions
dbbroadcast
mozart next 30 firmware
all versions
dbbroadcast
mozart next 300 firmware
all versions
dbbroadcast
mozart next 3000 firmware
all versions
dbbroadcast
mozart next 3500 firmware
all versions
dbbroadcast
mozart next 50 firmware
all versions
dbbroadcast
mozart next 500 firmware
all versions
dbbroadcast
mozart next 6000 firmware
all versions
+12 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

Unauthenticated path traversal enables exploitation of public-facing application (T1190) and arbitrary file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References