CVE-2025-66262

Published: Nov 26, 2025Modified: Dec 3, 2025

9.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:XShow less

Source: b7efe717-a805-47cf-8e9a-921fca0ce0ce (Secondary)

Description

Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise.

Affected (22)

Dbbroadcast

22 products

Mozart Next 100 Firmware

Mozart Next 1000 Firmware

Mozart Next 2000 Firmware

Mozart Next 30 Firmware

Mozart Next 300 Firmware

Mozart Next 3000 Firmware

Mozart Next 3500 Firmware

Mozart Next 50 Firmware

Mozart Next 500 Firmware

Mozart Next 6000 Firmware

Mozart Next 7000 Firmware

Mozart Dds Next 30 Firmware

Mozart Dds Next 50 Firmware

Mozart Dds Next 100 Firmware

Mozart Dds Next 300 Firmware

Mozart Dds Next 500 Firmware

Mozart Dds Next 1000 Firmware

Mozart Dds Next 2000 Firmware

Mozart Dds Next 3000 Firmware

Mozart Dds Next 3500 Firmware

Mozart Dds Next 6000 Firmware

Mozart Dds Next 7000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 100 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 100	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 1000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 1000	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 2000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 2000	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 30 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 30	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 300 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 300	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 3000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 3000	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 3500 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 3500	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 50 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 50	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 500 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 500	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 6000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 6000	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Next 7000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Next 7000	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 30 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 30	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 50 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 50	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 100 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 100	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 300 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 300	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 500 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 500	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 1000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 1000	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 2000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 2000	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 3000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 3000	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 3500 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 3500	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 6000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 6000	All versions

Configuration V

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dbbroadcast Mozart Dds Next 7000 Firmware	All versions

Running on/with	Platform Versions
Dbbroadcast Mozart Dds Next 7000	All versions

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (1)

https://www.abdulmhsblog.com/posts/webfmvulns/

Source: b7efe717-a805-47cf-8e9a-921fca0ce0ce

ExploitThird Party Advisory

Timeline

No history available yet.