CVE-2025-66262
Published: 26 November 2025
Description
Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary…
more
file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal in tar extraction by requiring validation of user-controlled archive paths before depositing contents to the filesystem root.
Mandates identification, reporting, and correction of the specific flaw in restore_mozzi_memories.sh lacking path validation during tar extraction.
Enforces least privilege on the extraction process to restrict writable directories and limit the impact of arbitrary file overwrites even if path traversal succeeds.
Security SummaryAI
CVE-2025-66262 is an arbitrary file overwrite vulnerability stemming from tar extraction path traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter devices across versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The issue resides in the `restore_mozzi_memories.sh` script, which extracts user-controlled tar archives using the `-C /` flag, directing contents to the filesystem root without any path validation. This flaw, classified under CWE-22 and assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), was published on 2025-11-26.
Remote attackers require no privileges or user interaction to exploit this vulnerability, particularly when chained with unauthenticated file upload issues referenced as CVE-01, CVE-06, and CVE-07. By crafting malicious .tgz archives with path-traversed filenames—such as `etc/shadow` or `var/www/index.php`—attackers can overwrite critical system files in writable directories upon extraction. Successful exploitation enables full system compromise, granting attackers high confidentiality, integrity, and availability impacts.
Advisories are detailed in the reference at https://www.abdulmhsblog.com/posts/webfmvulns/, which covers the vulnerability discovery in the context of web FM transmitter flaws.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file overwrite via unauthenticated remote path traversal in tar extraction on a public-facing web FM transmitter device directly enables exploitation of a public-facing application.