Unrated severityNVD Advisory· Published Nov 26, 2025· Updated Dec 3, 2025

Unauthenticated Arbitrary File Deletion (upgrade_contents.php)

CVE-2025-66254

Description

Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files.

The deleteupgrade parameter in /var/www/upgrade_contents.php allows unauthenticated deletion of arbitrary files in /var/www/upload/ without any extension restriction or path sanitization, enabling attackers to remove critical system files.

Affected products

DB Electronica Telecomunicazioni S.p.A./Mozart FM Transmitterllm-fuzzy
Range: versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000
DB Electronica Telecomunicazioni S.p.A./Mozart FM Transmitterv5
Range: 30

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.abdulmhsblog.com/posts/webfmvulns/mitreexploittechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000