CVE-2025-66262

Summary

Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The restore_mozzi_memories.sh script extracts user-controlled tar archives with -C / flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., etc/shadow, var/www/index.php) to overwrite critical system files in writable directories, achieving full system compromise.

Affected Software

VendorProductVersion RangeStatus
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter30affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter50affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter100affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter300affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter500affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter1000affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter2000affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter3000affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter3500affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter6000affected
DB Electronica Telecomunicazioni S.p.A.Mozart FM Transmitter7000affected

Weaknesses

  • CWE-22: CWE-22 Arbitrary File Overwrite via Tar Extraction Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References