CVE-2025-66254 in Mozart FM Transmitter
Summary
by MITRE • 11/26/2025
Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.
The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/04/2025
The vulnerability CVE-2025-66254 represents a critical security flaw in the DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter software across multiple versions including 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. This issue manifests through the upgrade_contents.php script located at /var/www/upgrade_contents.php which processes a deleteupgrade parameter without proper authentication or input validation. The vulnerability is classified as an unauthenticated arbitrary file deletion flaw that directly violates security principles established by CWE-22, which addresses improper limitation of a pathname to a restricted directory, and CWE-434, which covers unrestricted upload of files with dangerous types. The attack vector leverages the absence of any extension restrictions or path sanitization mechanisms, creating a pathway for malicious actors to target files within the /var/www/upload/ directory. This represents a fundamental failure in the principle of least privilege and input validation, as the system accepts user-provided parameters without proper authorization checks or sanitization routines.
The technical exploitation of this vulnerability occurs when an attacker crafts a malicious request containing the deleteupgrade parameter with a crafted file path that points to system-critical files within the upload directory. The lack of any path traversal restrictions or file extension validation means that an attacker can specify any file path relative to the upload directory, potentially allowing deletion of system configuration files, application binaries, or other critical components. This vulnerability directly maps to the ATT&CK technique T1485, which covers data destruction through deletion of files and system components, and T1566, which covers credential harvesting through manipulation of system files. The absence of authentication checks means that any remote attacker can exploit this flaw without requiring valid credentials, making it particularly dangerous for network-accessible systems. The vulnerability's impact is amplified by the fact that it operates at the filesystem level, potentially allowing attackers to remove essential system files that could cause service disruption or create opportunities for further exploitation.
The operational impact of CVE-2025-66254 extends beyond simple file deletion to potentially compromise entire system availability and integrity. When attackers can remove critical files from the /var/www/upload/ directory, they may inadvertently cause application crashes or create persistent denial-of-service conditions that affect legitimate users. More concerning is the potential for attackers to remove files that could be used for forensic analysis or system recovery, complicating incident response efforts. The vulnerability's presence in multiple versions of the Mozart FM Transmitter software indicates a systemic design flaw that affects numerous installations, potentially exposing a large number of critical infrastructure systems to attack. This type of vulnerability represents a significant risk to industrial control systems and network infrastructure, where unauthorized modification or deletion of system files can lead to service interruptions, data loss, or even safety hazards in environments where these transmitters may be part of larger operational technology ecosystems. Organizations using these systems must consider the broader implications of unauthorized file deletion on their operational continuity and security posture, as this vulnerability could be leveraged as a stepping stone for more sophisticated attacks.
The recommended mitigations for this vulnerability include immediate implementation of authentication checks for all file manipulation operations, particularly those affecting system-critical directories. The upgrade_contents.php script must be updated to validate all input parameters through strict sanitization routines that prevent path traversal attacks and validate file extensions against a whitelist of allowed types. Implementing proper access controls through authentication mechanisms such as HTTP Basic Auth or token-based validation will ensure that only authorized personnel can perform file deletion operations. Additionally, the system should implement proper file path validation that restricts file operations to specific, safe directories and prevents access to system-critical locations. Network segmentation and firewall rules should be implemented to restrict access to the upgrade_contents.php endpoint to only trusted administrative networks. Regular security audits and input validation testing should be conducted to identify similar vulnerabilities in other system components. Organizations should also implement monitoring and logging for file deletion operations to detect unauthorized access attempts and establish incident response procedures for handling such security events. The fix should align with security best practices outlined in the OWASP Top Ten and NIST Cybersecurity Framework, particularly focusing on input validation, access control, and defense in depth strategies to prevent similar vulnerabilities from being introduced in future software releases.