CVE-2025-66255 is a critical vulnerability affecting multiple versions (30 through 7000) of the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A. The core issue lies in the upgrade_contents.php endpoint responsible for firmware upgrades. This endpoint accepts arbitrary file uploads without enforcing critical security controls such as file header validation, cryptographic signature verification, or ensuring the uploaded files conform to the expected .tgz firmware package format. Due to this lack of validation, an unauthenticated attacker can upload malicious firmware or arbitrary files, leading to remote code execution on the device. The vulnerability is classified under CWE-345, indicating missing signature validation. The exploit requires no authentication (AV:N/AC:L/AT:N/PR:N/UI:N) and can be executed remotely over the network, making it highly accessible to attackers. The vulnerability impacts confidentiality, integrity, and availability (VC:H/VI:H/VA:N) of the affected devices, potentially allowing attackers to take full control, disrupt broadcasting services, or use the compromised devices as pivot points within a network. Despite the severity, no exploits have been reported in the wild yet. The affected product is specialized hardware used in FM transmission, which is critical infrastructure in many countries. The vulnerability's critical CVSS 4.0 score of 9.9 reflects the high risk posed by this flaw. The lack of patch links indicates that a fix has not yet been publicly released, emphasizing the urgency for mitigation and vendor response.

For European organizations, especially broadcasters and telecommunications providers using Mozart FM Transmitters, this vulnerability poses a severe risk. Successful exploitation can lead to full device compromise, allowing attackers to inject malicious firmware that could disrupt FM transmission services, degrade broadcast quality, or cause complete outages. This can impact public communication channels, emergency broadcast systems, and commercial radio services, potentially causing widespread disruption. Additionally, compromised devices could be leveraged as entry points for lateral movement within organizational networks, threatening broader IT infrastructure. The integrity and availability of critical communication infrastructure are at risk, which could have regulatory and reputational consequences. Given the unauthenticated nature of the exploit and the lack of required user interaction, attackers can easily target exposed devices remotely. The absence of current patches increases the window of exposure. Organizations in Europe that rely on these transmitters for public or private communications must consider this a high-priority threat.

1. Immediately restrict network access to the upgrade_contents.php endpoint by implementing firewall rules or network segmentation to limit exposure to trusted administrators only. 2. Monitor network traffic for unusual or unauthorized upload attempts to the firmware upgrade endpoint. 3. Disable remote firmware upgrades if possible until a secure patch is available. 4. Engage with DB Electronica Telecomunicazioni S.p.A. to obtain or request a firmware update that enforces strict validation of uploaded files, including cryptographic signature checks and file format verification. 5. Implement intrusion detection systems (IDS) or endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. 6. Conduct regular audits of device firmware versions and configurations to ensure compliance with security best practices. 7. Prepare incident response plans specific to FM transmitter compromise scenarios to minimize downtime and impact. 8. Consider deploying compensating controls such as VPNs or management VLANs to isolate device management interfaces from general network access.