CVE-2025-66256
Published: 26 November 2025
Description
Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The…
more
`/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of file type validation, MIME checking, and content restrictions in the patch_contents.php endpoint by implementing input validation mechanisms to block malicious file uploads.
Specifies and authorizes only safe actions without identification or authentication, explicitly prohibiting unauthenticated arbitrary file uploads via the vulnerable endpoint.
Establishes processes to identify, report, and remediate the specific flaw in patch_contents.php, preventing exploitation through timely patching.
Security SummaryAI
CVE-2025-66256 is an unauthenticated arbitrary file upload vulnerability in the patch_contents.php component of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices, affecting versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The vulnerable endpoint at /var/tdf/patch_contents.php allows unauthenticated users to upload arbitrary files without file type validation, MIME checking, or size restrictions beyond 16MB. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Attackers with network access can exploit this vulnerability without authentication by sending HTTP requests to the patch_contents.php endpoint with malicious payloads, such as webshells or executable files. Successful exploitation enables arbitrary file uploads, potentially leading to remote code execution, unauthorized access to sensitive data, system file modification, or denial-of-service conditions, with high impacts on confidentiality, integrity, and availability.
Advisories referenced in the CVE point to https://www.abdulmhsblog.com/posts/webfmvulns/ for further details, though specific patch or mitigation guidance is not detailed in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file upload in public-facing PHP endpoint enables exploitation of public-facing application (T1190), ingress of tools/malware (T1105), and deployment of web shells for RCE/persistence (T1505.003).