CVE-2025-66252 is a vulnerability classified under CWE-835 (Infinite Loop) affecting the Mozart FM Transmitter product line from DB Electronica Telecomunicazioni S.p.A., spanning versions 30 through 7000. The flaw exists in the status_contents.php script where the unlink() function is called within a while loop to delete files. If the unlink operation fails—due to the file being immutable or the process lacking sufficient permissions—the loop does not exit, causing the system to enter an infinite loop. This infinite loop leads to a denial of service (DoS) condition by consuming CPU resources indefinitely, potentially rendering the affected transmitter unresponsive or severely degraded in performance. The vulnerability requires the attacker to have high privileges on the system but does not require user interaction or network complexity beyond network access. The CVSS 4.0 base score is 8.4, reflecting high severity with network attack vector, low attack complexity, no privileges required for attack initiation (though the vector states PR:H, indicating privileges are needed), and significant impact on availability and integrity. No patches are currently linked, and no known exploits have been reported in the wild. This vulnerability could be exploited to disrupt FM broadcasting services by causing the transmitter software to hang or crash, impacting the availability of critical communication infrastructure.

For European organizations, particularly broadcasters and telecom operators using the Mozart FM Transmitter, this vulnerability poses a significant risk to operational continuity. The infinite loop DoS can cause transmitter software to become unresponsive, leading to broadcast outages or degraded service quality. This disruption can affect emergency communication channels, public information dissemination, and commercial broadcasting services. Given the critical role of FM transmitters in media and emergency alert systems, prolonged downtime could have regulatory, financial, and reputational consequences. The requirement for high privileges to exploit the vulnerability somewhat limits the attack surface but does not eliminate risk, especially if internal threat actors or compromised administrative accounts are involved. The lack of user interaction and network accessibility means that remote exploitation is plausible in environments where administrative interfaces are exposed or compromised. The impact extends beyond individual organizations to national communication infrastructures, potentially affecting public safety and information flow.

1. Implement strict file system permissions to ensure that files targeted by the unlink() operation are deletable by the process, preventing immutable or permission-restricted files from causing the infinite loop. 2. Monitor and audit file deletion operations within the transmitter software environment to detect repeated unlink failures indicative of exploitation attempts. 3. Restrict administrative access to the transmitter systems to trusted personnel only, employing multi-factor authentication and network segmentation to reduce the risk of privilege escalation. 4. Develop and deploy a patch or update from DB Electronica Telecomunicazioni S.p.A. as soon as it becomes available to fix the infinite loop logic in status_contents.php. 5. As a temporary workaround, consider modifying the script or environment to include a maximum retry count or timeout for unlink operations to prevent infinite looping. 6. Conduct regular backups and have failover mechanisms for broadcasting infrastructure to minimize downtime in case of exploitation. 7. Engage with the vendor for detailed guidance and support on mitigating this vulnerability in operational environments.