The vulnerability identified as CVE-2025-63228 affects the Mozart FM Transmitter's web management interface, specifically version WEBMOZZI-00287. It resides in the /upload_file.php endpoint, which improperly handles file uploads without any authentication or authorization checks. An attacker can craft a POST request containing a malicious file, such as a PHP webshell, which the server stores in the /upload/ directory. This allows the attacker to execute arbitrary code remotely, potentially gaining full control over the device and the underlying system. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS v3.1 base score of 9.8, reflecting its critical severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality, integrity, and availability (C:H/I:H/A:H). Although no patches or known exploits are currently documented, the risk is high due to the ease of exploitation and the potential for complete system compromise. The Mozart FM Transmitter is typically used in broadcasting and communication environments, making this vulnerability particularly dangerous if exploited in operational technology or critical infrastructure contexts.

For European organizations, the impact of this vulnerability can be severe. Compromise of the Mozart FM Transmitter devices could lead to unauthorized access to broadcast systems, manipulation or disruption of FM transmissions, and potential pivoting into broader corporate or industrial networks. Confidential data could be exfiltrated, and attackers could disrupt services critical to communication infrastructure. Given the criticality of communication systems in sectors such as media, emergency services, and transportation, exploitation could cause widespread operational disruptions and reputational damage. Additionally, attackers gaining persistent access could use these devices as footholds for further attacks within European networks. The lack of authentication and ease of exploitation increase the likelihood of attacks, especially if these devices are exposed to the internet or poorly segmented networks.

1. Immediately isolate affected Mozart FM Transmitter devices from the internet and untrusted networks to prevent external exploitation. 2. Disable or restrict access to the /upload_file.php endpoint if possible, or implement network-level controls such as firewalls or web application firewalls (WAFs) to block unauthorized POST requests to this endpoint. 3. Monitor network traffic and device logs for unusual file upload activity or execution of unexpected scripts. 4. Employ strict network segmentation to separate broadcast devices from critical IT infrastructure. 5. If vendor patches become available, prioritize their deployment after testing. 6. Conduct thorough audits of all Mozart FM Transmitter devices to identify any signs of compromise or unauthorized file uploads. 7. Implement intrusion detection systems (IDS) tuned to detect webshell signatures and anomalous behaviors on these devices. 8. Educate operational technology (OT) and IT teams about this vulnerability to ensure rapid response and containment.