Cyber Posture

CVE-2025-66259

CriticalPublic PoC

Published: 26 November 2025

Published
26 November 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 64.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time…

more

is passed directly into date shell command

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the command injection vulnerability by enforcing input validation mechanisms on user-supplied hour/time data before passing it to the 'date' shell command in main_ok.php.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and correction of the specific flaw in main_ok.php that passes unfiltered user input to shell commands.

SI-4 System Monitoring partial match
detect

Enables monitoring of the system to identify anomalous executions of the 'date' command indicative of exploitation attempts.

Security SummaryAI

CVE-2025-66259 is a remote code execution vulnerability stemming from improper input validation (CWE-20) in the main_ok.php component of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices. It affects versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue arises when user-supplied data for hour/time parameters is passed directly to the Linux 'date' shell command without filtering, enabling command injection. Published on 2025-11-26, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

A remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Although the description specifies an authenticated attack, the CVSS privileges required (PR:N) metric suggests it may be exploitable without authentication. Successful exploitation grants root-level code execution on the device, allowing full control with high impacts on confidentiality, integrity, and availability.

The sole reference points to a blog post at https://www.abdulmhsblog.com/posts/webfmvulns/, which documents the web FM vulnerabilities but provides no details on patches, vendor advisories, or specific mitigations in the available CVE information. Security practitioners should isolate affected devices, monitor for anomalous 'date' command usage, and contact the vendor for updates.

Details

CWE(s)
CWE-20

Affected Products

dbbroadcast
mozart next 100 firmware
all versions
dbbroadcast
mozart next 1000 firmware
all versions
dbbroadcast
mozart next 2000 firmware
all versions
dbbroadcast
mozart next 30 firmware
all versions
dbbroadcast
mozart next 300 firmware
all versions
dbbroadcast
mozart next 3000 firmware
all versions
dbbroadcast
mozart next 3500 firmware
all versions
dbbroadcast
mozart next 50 firmware
all versions
dbbroadcast
mozart next 500 firmware
all versions
dbbroadcast
mozart next 6000 firmware
all versions
+12 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables remote exploitation of a public-facing web application (T1190) via command injection into Linux Unix Shell (T1059.004), granting root RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References