CVE-2025-66255

CVE-2025-66255 is an unauthenticated arbitrary file upload vulnerability in the upgrade_contents.php endpoint of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices, affecting versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The endpoint fails to validate file headers, cryptographic signatures, or enforce .tgz format requirements, enabling attackers to upload malicious firmware packages. This missing signature validation leads to firmware injection, with the endpoint also facilitating subsequent arbitrary file uploads and remote code execution. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 345 (Insufficient Verification of Data Authenticity) and 434 (Unrestricted Upload of File with Dangerous Type).

Any unauthenticated attacker with network access to the affected device can exploit this vulnerability due to its low attack complexity and lack of privileges required. By sending a crafted request to upgrade_contents.php, the attacker can upload arbitrary files disguised as firmware, bypassing all validation checks. Successful exploitation allows injection of malicious firmware, enabling full remote code execution on the device with high impacts on confidentiality, integrity, and availability.

References for this vulnerability include details published at https://www.abdulmhsblog.com/posts/webfmvulns/, which documents the issue but does not specify vendor-provided patches or mitigation steps in the available information.