CVE-2025-66250 is a critical vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting DB Electronica Telecomunicazioni S.p.A.'s Mozart FM Transmitter devices, versions 30 through 7000. The vulnerability resides in the status_contents.php script, which improperly handles file uploads, allowing unauthenticated attackers to upload arbitrary files to the device's filesystem, specifically via the /var/tdf/status_contents.php endpoint. Because no authentication or user interaction is required, an attacker can remotely exploit this flaw over the network. The uploaded files could include malicious scripts or binaries, enabling remote code execution or persistent backdoors. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N) reflects a network attack vector with low complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature and broad version impact make it a high-risk issue. The affected devices are commonly used in FM broadcasting infrastructure, which is critical for communication and media dissemination. Exploitation could disrupt broadcasting services, leak sensitive operational data, or allow attackers to pivot into broader network environments. The lack of available patches at the time of disclosure necessitates immediate risk management and mitigation strategies.

For European organizations, especially broadcasters and telecommunications providers using Mozart FM Transmitter devices, this vulnerability poses a severe risk. Exploitation could lead to unauthorized control over broadcasting equipment, resulting in service outages, manipulation of broadcast content, or espionage through data exfiltration. The integrity and availability of critical communication channels could be compromised, impacting emergency broadcasts and public information dissemination. Additionally, attackers could leverage compromised devices as footholds to infiltrate wider organizational networks, threatening broader IT infrastructure. The critical CVSS score underscores the potential for widespread disruption without requiring user interaction or credentials. Given Europe's reliance on robust communication infrastructure, this vulnerability could have cascading effects on media companies, emergency services, and regulatory compliance with data protection laws such as GDPR if sensitive data is exposed.

Immediate mitigation should focus on network-level protections, including isolating affected Mozart FM Transmitter devices from untrusted networks and restricting access to management interfaces. Organizations should implement strict firewall rules to block unauthorized inbound traffic to the status_contents.php endpoint. Continuous monitoring for anomalous file uploads or unexpected changes in device file systems is essential. Until official patches are released, consider deploying web application firewalls (WAFs) with custom rules to detect and block arbitrary file upload attempts targeting the vulnerable endpoint. Conduct thorough audits of device configurations and firmware versions to identify affected units. Engage with DB Electronica Telecomunicazioni S.p.A. for timely patch releases and apply updates as soon as they become available. Additionally, implement network segmentation to limit lateral movement if a device is compromised and maintain incident response plans tailored to broadcasting infrastructure attacks.