CVE-2025-66261

Опубликовано: 26 нояб. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The /var/tdf/restore_settings.php endpoint passes user-controlled $_GET["name"] parameter through urldecode() directly into exec() without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (;, |, &&, etc.) to achieve unauthenticated remote code execution as the web server user.

Ссылки

https://www.abdulmhsblog.com/posts/webfmvulns/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:*

Конфигурация 2

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:*

Конфигурация 7

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:*

Конфигурация 8

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_50:-:*:*:*:*:*:*:*

Конфигурация 9

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_500_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_500:-:*:*:*:*:*:*:*

Конфигурация 10

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_6000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_6000:-:*:*:*:*:*:*:*

Конфигурация 11

Одновременно

cpe:2.3:o:dbbroadcast:mozart_next_7000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_next_7000:-:*:*:*:*:*:*:*

Конфигурация 12

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_30_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_30:-:*:*:*:*:*:*:*

Конфигурация 13

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_50_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_50:-:*:*:*:*:*:*:*

Конфигурация 14

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_100_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_100:-:*:*:*:*:*:*:*

Конфигурация 15

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_300_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_300:-:*:*:*:*:*:*:*

Конфигурация 16

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_500_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_500:-:*:*:*:*:*:*:*

Конфигурация 17

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_1000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_1000:-:*:*:*:*:*:*:*

Конфигурация 18

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_2000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_2000:-:*:*:*:*:*:*:*

Конфигурация 19

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_3000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_3000:-:*:*:*:*:*:*:*

Конфигурация 20

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_3500_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_3500:-:*:*:*:*:*:*:*

Конфигурация 21

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_6000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_6000:-:*:*:*:*:*:*:*

Конфигурация 22

Одновременно

cpe:2.3:o:dbbroadcast:mozart_dds_next_7000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dbbroadcast:mozart_dds_next_7000:-:*:*:*:*:*:*:*

EPSS

Процентиль: 70%

0.00632

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-78

Связанные уязвимости

GHSA-q595-fccr-c7x4

CVSS3: 9.8

github

2 месяца назад

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.

EPSS

Процентиль: 70%

0.00632

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-78