CRITICAL🇵🇱 Wersja polska

CVE-2025-66253

CVSS 9.9v4.0pub. 2025-11-26upd. 2025-12-03

Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).

🤖 AI Analysis
How it works

The `/var/tdf/start_upgrade.php` endpoint retrieves the `filename` parameter from an HTTP GET request (`$_GET["filename"]`) and passes it directly to the `exec()` function without any validation, sanitization, or escaping of shell special characters. An attacker can inject arbitrary system commands using shell metacharacters such as `;` or `|` by constructing a properly crafted HTTP request. Execution occurs in the context of the web server user, which on such embedded devices most likely runs with root privileges. The attack requires no authentication or any user interaction.

Impact

An attacker can gain full control over the device by remotely executing arbitrary system commands with root privileges, enabling persistent device compromise, disruption of FM transmission, and potential use of the device as an entry point for further network penetration (lateral movement).

Mitigation & patch

Patches available from the manufacturer should be applied according to references. Until patches are deployed, it is recommended to isolate devices from public and untrusted networks, restrict access to the web interface exclusively to trusted IP addresses using a firewall, and monitor network traffic directed to the start_upgrade.php endpoint.

Who is affected

DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter in versions: 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 (products from the Mozart Next and Mozart DDS Next product lines)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Dbbroadcast Mozart Dds Next 100

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 1000

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 1000 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 100 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 2000

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 2000 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 30

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 300

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 3000

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 3000 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 300 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 30 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 3500

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 3500 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 50

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 500

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 500 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 50 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 6000

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 6000 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 7000

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Dds Next 7000 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 100

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 1000

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 1000 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 100 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 2000

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 2000 Firmware

    OS
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 30

    HW
    Dbbroadcast
    wszystkie wersje
  • Dbbroadcast Mozart Next 300

    HW
    Dbbroadcast
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2025-66257CRITICAL9.2PL ✓ten sam produkt

Nieuwierzytelnione usuwanie plików w DB Electronica Mozart FM Transmitter

CVE-2025-66256CRITICAL9.9PL ✓ten sam produkt

Nieuwierzytelniony arbitrary file upload w DB Electronica Mozart FM Transmitter

CVE-2025-66250CRITICAL9.2PL ✓ten sam produkt

Nieuwierzytelniony arbitrary file upload w DB Electronica Mozart FM Transmitter

CVE-2025-66255CRITICAL9.9PL ✓ten sam produkt

RCE przez brak walidacji pliku firmware w DB Electronica Mozart FM Transmitter

CVE-2025-66259CRITICAL9.3PL ✓ten sam produkt

RCE w nadajnikach FM DB Electronica — brak filtrowania danych wejściowych