CVE-2025-66263

Name of the Vulnerable Software and Affected Versions DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30 through 7000

Description The software contains a flaw that allows for unauthenticated arbitrary file reading through a null byte injection. The /var/tdf/download setting.php API endpoint is vulnerable because it constructs file paths by combining user-supplied input, the filename variable, with a forced .tgz extension. When running on PHP 5.3.2 (prior to version 5.3.4), the application is susceptible to null byte injection (%00). This allows attackers to bypass the extension restriction and access any file readable by the web server user by manipulating the filename parameter. For example, a request with filename=../../../../etc/passwd%00 will allow access to the /etc/passwd file.

Recommendations Versions 30 through 7000 should be updated to a version later than 5.3.4. As a temporary workaround, restrict access to the download setting.php endpoint.