Unrated severityNVD Advisory· Published Nov 26, 2025· Updated Dec 3, 2025

Unauthenticated OS Command Injection (start_upgrade.php)

CVE-2025-66253

Description

Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The /var/tdf/start_upgrade.php endpoint passes user-controlled $_GET["filename"] directly into exec() without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (;, |, etc.) to achieve remote code execution as the web server user (likely root).

Affected products

DB Electronica Telecomunicazioni S.p.A./Mozart FM Transmitterllm-fuzzy
Range: 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000
DB Electronica Telecomunicazioni S.p.A./Mozart FM Transmitterv5
Range: 30

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.abdulmhsblog.com/posts/webfmvulns/mitreexploittechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000