CVE-2025-66255CRITICAL 9.8EPSS p23.5%

CVE-2025-66255CVE-2025-66255

Description

Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages.  The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.32% probability of exploitation · percentile 23.5% · 2026-06-19T12:03:05Z
Published2025-11-26
Last modified2025-12-03

Underlying weaknesses· 2

CWE-345CWE-434

References

  1. https://www.abdulmhsblog.com/posts/webfmvulns/
  2. https://www.abdulmhsblog.com/posts/webfmvulns/

2

TypeTargetConfidenceTier
WeaknessInsufficient Verification of Data Authenticitycwe-3450%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66256
CVE
CVE-2025-66250
CVE
CVE-2025-66253
CVE
CVE-2025-66254
CVE
CVE-2025-63228
CVE
CVE-2025-66257
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.