CVE-2025-63228 in FM Transmitter
Summary
by MITRE • 11/18/2025
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability identified as CVE-2025-63228 affects the Mozart FM Transmitter device running firmware version WEBMOZZI-00287 and specifically targets the web management interface component. This device operates as a wireless broadcasting solution that requires remote administration through a web-based interface, making it a critical target for attackers seeking persistent access to networked environments. The affected system implements a file upload functionality at the /upload_file.php endpoint which lacks proper authentication mechanisms, creating an exploitable entry point for malicious actors. The device's deployment in various industrial and commercial settings increases the potential impact of this vulnerability, as it may serve as a foothold for broader network infiltration.
The technical flaw manifests in the absence of proper input validation and authentication checks within the file upload handler. When an attacker submits a malicious payload through a crafted POST request to the /upload_file.php endpoint, the system fails to verify the request origin or validate the file type, allowing arbitrary file uploads to occur. The uploaded files are stored in the /upload/ directory without any sanitization or security controls, creating a direct pathway for remote code execution. This vulnerability directly maps to CWE-434 which describes insecure file upload vulnerabilities where applications accept files without proper validation, and aligns with ATT&CK technique T1195.001 for Unsecured Credentials and T1566.001 for Phishing as attackers may use this vulnerability to establish persistent access through webshells.
The operational impact of this vulnerability extends beyond simple remote code execution, as it provides attackers with complete system compromise capabilities. Once a malicious file is successfully uploaded and executed, the attacker gains full control over the device's operating system, potentially enabling them to modify broadcast parameters, access sensitive configuration data, or use the device as a pivot point for attacking other networked systems. The persistent nature of webshell deployments allows for long-term access and data exfiltration, while the unauthenticated nature of the vulnerability means that any network-connected attacker can exploit it without requiring valid credentials. This compromise directly affects the device's intended security posture and may expose organizations to regulatory violations, especially in environments where broadcast systems must maintain strict security controls.
Mitigation strategies should focus on immediate implementation of authentication controls and input validation measures. Network segmentation and firewall rules should be configured to restrict access to the management interface to authorized IP ranges only, while implementing strict file type validation and content inspection mechanisms. The device should be updated to a patched firmware version if available, or the upload functionality should be disabled entirely if not required for operation. Security monitoring should be enhanced to detect suspicious file upload activities and anomalous network traffic patterns, while regular security audits should verify that no unauthorized files have been uploaded to the system. Organizations should also consider implementing network-based intrusion detection systems to identify and block malicious upload attempts, and establish incident response procedures for handling potential exploitation of this vulnerability. The remediation efforts should align with NIST cybersecurity framework guidelines for protecting critical infrastructure components and maintaining system integrity through proper access controls and security monitoring practices.