Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.9)
EPSS
0.04%
KEV
Description
Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files.
The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files.
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
HIGH (7.1)
EPSS
0.05%
KEV
Description
Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml.
User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file.
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.9)
EPSS
0.93%
KEV
Description
Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
HIGH (7.7)
EPSS
0.17%
KEV
Description
Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files.
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
HIGH (8.4)
EPSS
0.04%
KEV
Description
Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
HIGH (7.8)
EPSS
0.07%
KEV
Description
Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.
The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.9)
EPSS
0.10%
KEV
Description
Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.
The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
HIGH (7.2)
EPSS
0.03%
KEV
Description
PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php.
The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL's `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance.
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service
Overview
- DB Electronica Telecomunicazioni S.p.A.
- Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
HIGH (8.9)
EPSS
0.04%
KEV
Description
Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.
The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.
Statistics
- 1 Post
- 8 Interactions
Last activity: 13 hours ago
Fediverse
Go hack more radio shit.
https://www.abdulmhsblog.com/posts/webfmvulns/
- CVE-2025-66259: Authenticated Root RCE (main_ok.php)
- CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
- CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
- CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
- CVE-2025-66250: Unrestricted File Upload (Status)
- CVE-2025-66255: Unsigned Firmware Upload
- CVE-2025-66256: Unrestricted Patch Upload
- CVE-2025-66251: Path Traversal File Deletion
- CVE-2025-66254: Arbitrary File Deletion (Upgrade)
- CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
- CVE-2025-66260: SQL Injection
- CVE-2025-66258: Stored XSS via XML Injection
- CVE-2025-66257: Arbitrary Patch Deletion
- CVE-2025-66252: Infinite Loop Denial of Service