CVE-2025-66253

Name of the Vulnerable Software and Affected Versions DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000

Description An unauthenticated OS Command Injection issue exists in the start upgrade.php component of the software. The /var/tdf/start upgrade.php API endpoint directly passes user-controlled input from the $ GET["filename"] parameter to the exec() function without proper sanitization or shell escaping. This allows attackers to inject arbitrary shell commands using metacharacters such as ; or | to achieve remote code execution as the web server user, potentially with root privileges.

Recommendations Versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 should be updated to a fixed version when available. As a temporary workaround, consider restricting access to the /var/tdf/start upgrade.php endpoint. Alternatively, disable the start upgrade.php functionality until a patch is available.