CVE-2025-66257

CVE-2025-66257 is an unauthenticated arbitrary file deletion vulnerability affecting DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices in versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue resides in the `patch_contents.php` script, where the `deletepatch` parameter enables attackers to delete arbitrary files within the `/var/www/patch/` directory. This occurs without any sanitization or access control checks, stemming from CWE-73 (External Control of File Name or Path). The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to high impact on integrity and availability.

Any unauthenticated attacker with network access to the affected device can exploit this vulnerability remotely with low complexity and no user interaction required. By sending a crafted request to `patch_contents.php` manipulating the `deletepatch` parameter, the attacker can specify and delete any file in the `/var/www/patch/` directory, potentially disrupting firmware patching processes, corrupting update files, or causing service outages on the FM transmitter.

Advisories detailing the vulnerability are available at https://www.abdulmhsblog.com/posts/webfmvulns/, which researchers should consult for specific mitigation guidance or patches, as no additional details on fixes are provided in the CVE record. The vulnerability was published on 2025-11-26.