CVE-2025-66254 is an unauthenticated arbitrary file deletion vulnerability identified in the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A., affecting versions 30 through 7000. The vulnerability resides in the upgrade_contents.php script, specifically in the handling of the 'deleteupgrade' parameter. This parameter allows an attacker to specify files for deletion within the /var/www/upload/ directory without any extension restrictions or path sanitization. Consequently, an attacker can craft requests to delete arbitrary files, including critical system or application files, leading to potential denial of service or further exploitation opportunities. The vulnerability requires no authentication (AV:N/AC:L/AT:N), no user interaction, and can be exploited remotely, making it highly accessible to attackers. The CVSS 4.0 base score of 7.8 reflects its high severity, with significant impact on integrity and availability, and a scope change due to possible system-wide effects. No known exploits are currently reported in the wild, but the ease of exploitation and impact warrant proactive mitigation. The affected product is used in FM broadcasting infrastructure, which is critical for communication services. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate protective measures.

For European organizations, especially those involved in broadcasting, telecommunications, and critical infrastructure, this vulnerability poses a significant risk. Exploitation can lead to deletion of essential files, causing service outages or degraded functionality of FM transmitters. This disruption can affect emergency communication systems, public broadcasting services, and commercial radio operations, potentially impacting millions of users. The unauthenticated nature of the vulnerability means attackers can exploit it remotely without prior access, increasing the threat level. Additionally, deletion of system files might facilitate further attacks, such as privilege escalation or persistent denial of service. The impact extends beyond individual organizations to national communication resilience, making it a strategic concern for European countries with advanced broadcasting networks. The vulnerability could also be leveraged in coordinated attacks targeting multiple transmitters, amplifying the disruption.

1. Immediately restrict network access to the upgrade_contents.php endpoint, ideally limiting it to trusted internal management networks or VPNs. 2. Implement web application firewall (WAF) rules to detect and block requests containing suspicious 'deleteupgrade' parameters or attempts to delete files outside expected paths. 3. Conduct thorough input validation and sanitization on the 'deleteupgrade' parameter to enforce strict path and filename restrictions, preventing directory traversal or arbitrary file targeting. 4. Monitor logs for unusual deletion requests or failed attempts to access upgrade_contents.php. 5. Engage with DB Electronica Telecomunicazioni S.p.A. for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 6. Consider deploying intrusion detection systems (IDS) tuned to detect exploitation attempts targeting this vulnerability. 7. Develop and test incident response plans specifically for transmitter outages to minimize downtime in case of exploitation. 8. Isolate critical FM transmitter management interfaces from general corporate networks to reduce exposure. 9. Regularly back up configuration and critical files to enable rapid recovery from file deletion attacks. 10. Educate operational staff about the vulnerability and signs of exploitation to enhance detection and response.