CVE-2025-63228
Severity CVSS v4.0:
Pending analysis
Type:
CWE-434
Unrestricted Upload of File with Dangerous Type
Publication date:
18/11/2025
Last modified:
08/12/2025
Description
The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:dbbroadcast:mozart_next_100_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_100:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_1000_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_1000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_2000_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_2000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_30_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_30:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_300_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_300:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_3000_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_3000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_3500_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dbbroadcast:mozart_next_3500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dbbroadcast:mozart_next_50_firmware:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page