CVE 9.9 CRITICAL

Unauthenticated OS Command Injection (restore_settings.php)_CVE-2025-66261

November 25, 2025 invoker category_cve

9.9 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

Description

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution.
The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.

AI Analysis

Unauthenticated OS Command Injection vulnerability in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter allows remote code execution

Basic Information

ID CVE-2025-66261

Source Gridware

Published Nov 26, 2025 at 00:49

Affected Product

Vendor DB Electronica Telecomunicazioni S.p.A.

Product Mozart FM Transmitter

Version 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000

Affected Versions DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 30
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 50
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 100
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 300
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 500
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 1000
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 2000
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 3000
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 3500
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 6000
DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 7000

CWE Classification

CWE-78

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor DB Electronica Telecomunicazioni S.p.A.

Product Mozart FM Transmitter

Version 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000

References

www.abdulmhsblog.com /posts/webfmvulns/

{
    "lastseen": "",
    "description": "Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution.\nThe `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET[\"name\"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.",
    "published": "2025-11-26T00:49:38.259Z",
    "modified": "2025-11-26T00:49:38.259Z",
    "type": "cve",
    "title": "Unauthenticated OS Command Injection (restore_settings.php)",
    "source": "Gridware",
    "references": "https://www.abdulmhsblog.com/posts/webfmvulns/",
    "id": "CVE-2025-66261",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 30\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 50\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 100\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 300\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 500\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 1000\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 2000\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 3000\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 3500\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 6000\nDB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter 7000",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Mozart FM Transmitter",
    "version": "30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000",
    "vendor": "DB Electronica Telecomunicazioni S.p.A.",
    "ai_description": "Unauthenticated OS Command Injection vulnerability in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter allows remote code execution",
    "ai_severity": "Critical",
    "ai_vendor": "DB Electronica Telecomunicazioni S.p.A.",
    "ai_product": "Mozart FM Transmitter",
    "ai_version": "30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply