CVE-2025-66253

CVSS v4.0

9.9

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Name of the Vulnerable Software and Affected Versions DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000

Description An unauthenticated OS Command Injection issue exists in the

start upgrade.php

component of the software. The

/var/tdf/start upgrade.php

API endpoint directly passes user-controlled input from the

$ GET["filename"]

parameter to the

exec()

function without proper sanitization or shell escaping. This allows attackers to inject arbitrary shell commands using metacharacters such as

to achieve remote code execution as the web server user, potentially with root privileges.

Recommendations Versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 should be updated to a fixed version when available. As a temporary workaround, consider restricting access to the

/var/tdf/start upgrade.php

endpoint. Alternatively, disable the

start upgrade.php

functionality until a patch is available.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2025-66253

Affected Products

Mozart Fm Transmitter

CVE-2025-66253

Weakness Enumeration

Related Identifiers

Affected Products

References · 7