Skip to content

Instantly share code, notes, and snippets.

@symbuzzer

symbuzzer/Delightmare.md

Last active January 7, 2026 13:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save symbuzzer/3315e88adc2bba0b6cc66d192b49546d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save symbuzzer/3315e88adc2bba0b6cc66d192b49546d to your computer and use it in GitHub Desktop.
Download ZIP
"Delightmare" - Delight CFW (custom firmware) 0 day Logic Flaw vulnerability (CVE-2025-65885)
Raw
Delightmare.md

CVE-2025-65885 – Public Disclosure

Summary

A critical vulnerability exists in Delight Custom Firmware (CFW) for Symbian Belle devices that allows arbitrary command execution during boot, leading to a persistent bootloop and potential silent code execution without user interaction.

The issue is triggered by the presence of a specially crafted text file (Delight.txt) placed in a specific data directory (E:\Data\). The file contents are parsed and executed during the boot process without proper validation or user consent.

This behavior strongly suggests the presence of either:

  • an unintended logic flaw, or
  • a deliberate backdoor-like mechanism introduced by the firmware.

Affected Product

Delight Custom Firmware (CFW) for Symbian Belle devices: Nokia 808, Nokia N8, Nokia E7, Nokia C7, Nokia C6-01, Nokia 700, Nokia 701, Nokia 603, Nokia 500, Nokia E6, Nokia Oro, Vertu Constellation T

Affected Versions

All known released versions, including but not limited to: Delight CFW installed:

  • Nokia 808 (latest Delight v1.8)
  • Nokia N8 (latest Delight v6.7)
  • Nokia E7 (latest Delight v1.3)
  • Nokia C7 (latest Delight v6.7)
  • Nokia C6-01 (latest Delight v1.1)
  • Nokia 700 (latest Delight v1.2)
  • Nokia 701 (latest Delight v1.1)
  • Nokia 603 (latest Delight v1.0)
  • Nokia 500 (latest Delight v1.2)
  • Nokia E6 (latest Delight v1.0)
  • Nokia Oro (latest Delight v1.0)
  • Vertu Constellation T (latest Delight v1.0)

Impact

An attacker (or user) with filesystem write access can:

  • Trigger a permanent bootloop
  • Execute arbitrary binaries (EXE files) during system startup
  • Potentially install applications (Symbian, Java Midlets, WGZ widgets) silently (if installserver.exe patch already applied)
  • Modify system state without user interaction
  • Modify all files from RW drivers like C, D, E, F without user interaction (no need to Open4All patch enabled)
  • Achieve persistent effects surviving reboot

Safe Testing Method

  1. Create a file named Delight.txt
  2. Place it in: E:\Data\
  3. Write the following content into the file: note "Hello World!"
  4. Reboot the device
  5. You should see "Hello World!" alert dialog on every boot

Also Reborn CFW for N8 drops special Delight.txt file for informing Delight users about this vulnerability. Users who install Delight CFW after Reborn CFW, encounter this message on every reboot: "DELIGHTMARE exploit is for exposing vulnerability/backdoor of Delight CFW! Greetings from Reborn CFW :)"

(Please see https://code.google.com/archive/p/minicmd/wikis/CommandSet.wiki for other commands for Delight.txt)

Dangerous Testing Method 1/3 (Not recommended)

  1. Create a file named Delight.txt
  2. Place it in: E:\Data\
  3. Write the following content into the file: run Restart.exe
  4. Reboot the device
  5. The device will enter a bootloop and will shut down again every time it restarts

Dangerous Testing Method 2/3 (Not recommended)

  1. Create a file named Delight.txt
  2. Place it in: E:\Data\
  3. Write the following content into the file: install F:\virus.sis
  4. Reboot the device
  5. After restarting; silently installs "virus.sis" file in F:\ folder (memory card) if exists

Dangerous Testing Method 3/3 (Not recommended)

  1. Create a file named Delight.txt
  2. Place it in: E:\Data\
  3. Write the following content into the file: find /s C:\;E:\;F:\|* rm
  4. Reboot the device
  5. After restarting; device memory (C), internal memory (E) and memory card (F) are completely erased

Mitigation

  • The permanent solution is to update Delight CFW so that it only reads the Delight.txt file from the Z drive. Note: The developer stated that he would not release an update despite being notified of the vulnerability.
  • The temporary solution is to delete the E:\Data\Delight.txt file and avoid installing applications that created this file.

Analysis

  • The firmware implicitly trusts a plaintext file located in a user-accessible directory.
  • File contents are parsed and interpreted as executable commands.
  • No validation, authentication, or user confirmation is performed.
  • The mechanism runs during early boot, amplifying impact.

Attack Vector

  • Local
  • No user interaction required after file placement
  • Persistent across reboots

Disclosure Status

  • Vendor notified (on 02/12/2025)
  • CVE requested (on 16/11/2025)
  • Public documentation available (on 15/12/2025)

Author

Ali BEYAZ (symbuzzer) - https://github.com/symbuzzer

Disclaimer

This documentation is provided for educational, research and defensive purposes only.
Do not test on devices you do not own or have permission to analyze.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment