CVE-2025-66253 is a critical unauthenticated OS command injection vulnerability identified in the Mozart FM Transmitter devices produced by DB Electronica Telecomunicazioni S.p.A. The vulnerability resides in the start_upgrade.php script located at /var/tdf/start_upgrade.php, which accepts a GET parameter 'filename'. This parameter is passed directly to the PHP exec() function without any sanitization or shell escaping, allowing an attacker to inject arbitrary shell commands using metacharacters like ';' or '|'. Because the web server user is likely running with root privileges, successful exploitation results in remote code execution with full system privileges. The vulnerability affects a broad range of product versions (30 through 7000), indicating a long-standing and widespread issue across the product line. The CVSS v4.0 score of 9.9 reflects the vulnerability's ease of exploitation (no authentication or user interaction required), its network attack vector, and the high impact on confidentiality, integrity, and availability. No patches are currently listed, and no known exploits have been reported in the wild, but the vulnerability's nature makes it a prime target for attackers aiming to compromise broadcast infrastructure. The affected devices are typically used in FM transmission and broadcasting environments, making them critical infrastructure components. Attackers could leverage this vulnerability to disrupt broadcast services, exfiltrate sensitive data, or pivot into broader network environments.

For European organizations, especially those in the broadcasting and telecommunications sectors, this vulnerability poses a severe risk. Exploitation can lead to complete system takeover of FM transmitter devices, potentially disrupting radio broadcast services which are critical for communication, emergency alerts, and media distribution. The compromise of these devices could also serve as a foothold for lateral movement into enterprise networks, threatening broader organizational IT infrastructure. Confidentiality is at risk due to possible data exfiltration, integrity is compromised as attackers can alter device configurations or firmware, and availability is threatened through potential denial-of-service or sabotage of transmission capabilities. Given the critical role of FM transmitters in public communication, exploitation could have cascading effects on public safety and information dissemination. The lack of authentication and ease of exploitation increase the likelihood of attacks, especially in environments where these devices are exposed to untrusted networks or insufficiently segmented. The impact extends beyond individual organizations to national communication infrastructures, making this a high-priority threat for European critical infrastructure protection.

1. Immediate network segmentation: Isolate affected Mozart FM Transmitter devices from public and untrusted networks to prevent unauthorized access to the start_upgrade.php endpoint. 2. Access control: Implement strict firewall rules and access control lists (ACLs) to restrict access to the vulnerable endpoint only to trusted management networks or IP addresses. 3. Monitoring and detection: Deploy network and host-based intrusion detection systems (IDS) to monitor for suspicious requests targeting start_upgrade.php or unusual command execution patterns on the devices. 4. Vendor engagement: Engage with DB Electronica Telecomunicazioni S.p.A. to obtain patches or firmware updates addressing the vulnerability as soon as they become available. 5. Temporary workaround: If patching is not immediately possible, consider disabling or restricting access to the start_upgrade.php script or the web management interface entirely, if operationally feasible. 6. Incident response readiness: Prepare for potential exploitation by establishing incident response plans specific to broadcast infrastructure compromise. 7. Regular audits: Conduct security audits and penetration tests focusing on broadcast and telecommunications equipment to identify similar vulnerabilities. 8. User training: Educate network administrators and operators about the risks of exposing management interfaces and the importance of secure configuration.