CVE-2025-66253CRITICAL 9.8EPSS p78.3%

CVE-2025-66253CVE-2025-66253

Description

Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root).

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.01% probability of exploitation · percentile 78.3% · 2026-06-19T12:03:05Z
Published2025-11-26
Last modified2025-12-03

Underlying weaknesses· 1

CWE-78

References

  1. https://www.abdulmhsblog.com/posts/webfmvulns/
  2. https://www.abdulmhsblog.com/posts/webfmvulns/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66261
CVE
CVE-2025-66254
CVE
CVE-2025-66259
CVE
CVE-2025-66255
CVE
CVE-2025-66250
CVE
CVE-2025-66256
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.