Cyber Posture

CVE-2025-66261

CriticalPublic PoC

Published: 26 November 2025

Published
26 November 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0055 68.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution.…

more

The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validating and sanitizing the user-controlled $_GET['name'] parameter before passing it to exec() to block shell metacharacters and prevent command injection.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits permitted actions without identification or authentication, preventing unauthenticated remote access to the vulnerable /var/tdf/restore_settings.php endpoint.

SI-2 Flaw Remediation good match
prevent

Identifies, reports, and corrects the specific command injection flaw in restore_settings.php to eliminate the insecure urldecode() and exec() usage.

Security SummaryAI

CVE-2025-66261, published on 2025-11-26, is an unauthenticated OS command injection vulnerability (CWE-78) in the restore_settings.php component of DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices. It affects versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The vulnerable endpoint at /var/tdf/restore_settings.php takes the user-controlled $_GET["name"] parameter, applies urldecode() to it, and passes the result directly into the exec() PHP function without validation or escaping, enabling command injection.

An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this low-complexity (AC:L) vulnerability by crafting a malicious URL-decoded "name" parameter containing shell metacharacters such as ;, |, or &&. This allows arbitrary command execution as the web server user, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), resulting in a CVSS v3.1 base score of 9.8.

Details on mitigation, patches, or advisories are available in the referenced disclosure at https://www.abdulmhsblog.com/posts/webfmvulns/.

Details

CWE(s)
CWE-78

Affected Products

dbbroadcast
mozart next 100 firmware
all versions
dbbroadcast
mozart next 1000 firmware
all versions
dbbroadcast
mozart next 2000 firmware
all versions
dbbroadcast
mozart next 30 firmware
all versions
dbbroadcast
mozart next 300 firmware
all versions
dbbroadcast
mozart next 3000 firmware
all versions
dbbroadcast
mozart next 3500 firmware
all versions
dbbroadcast
mozart next 50 firmware
all versions
dbbroadcast
mozart next 500 firmware
all versions
dbbroadcast
mozart next 6000 firmware
all versions
+12 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated OS command injection in a public-facing web endpoint (restore_settings.php) directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution via T1059.004 (Unix Shell) through unescaped exec() usage.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References