CVE-2025-66250

high-risk

Published 2025-11-26

Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Mozart Next 100 Firmware

Mozart Next 1000 Firmware

Mozart Next 2000 Firmware

Mozart Next 30 Firmware

Mozart Next 300 Firmware

Mozart Next 3000 Firmware

Mozart Next 3500 Firmware

Mozart Next 50 Firmware

Mozart Next 500 Firmware

Mozart Next 6000 Firmware

Mozart Next 7000 Firmware

Mozart Dds Next 30 Firmware

Mozart Dds Next 50 Firmware

Mozart Dds Next 100 Firmware

Mozart Dds Next 300 Firmware

Mozart Dds Next 500 Firmware

Mozart Dds Next 1000 Firmware

Mozart Dds Next 2000 Firmware

Mozart Dds Next 3000 Firmware

Mozart Dds Next 3500 Firmware

Affected Vendors

Dbbroadcast

References (1)

Exploit https://www.abdulmhsblog.com/posts/webfmvulns/

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 0/34 · Minimal

Exposure 20/34 · Moderate