CVE-2025-66258 is a stored cross-site scripting vulnerability classified under CWE-79, discovered in multiple versions of the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A. The vulnerability stems from the insecure handling of user-supplied filenames that are concatenated directly into the patchlist.xml file without proper encoding or sanitization. Attackers can craft filenames containing malicious JavaScript payloads, such as <img src=x onerror=alert()>.bin, which get stored persistently in the system. When the ajax.js script processes and renders the patchlist.xml file in the device's web interface, the injected script executes in the context of the user's browser. This stored XSS can be exploited remotely without authentication but requires user interaction, typically an administrator or operator accessing the device's management interface. The CVSS 4.0 score of 7.1 reflects a high severity due to network attack vector, low attack complexity, no privileges required, partial user interaction, and high impact on confidentiality and partial impact on integrity and availability. The vulnerability could allow attackers to hijack sessions, steal credentials, or pivot into the internal network, potentially disrupting broadcast operations or compromising sensitive data. Although no exploits are currently known in the wild, the broad range of affected versions (from 30 to 7000) indicates widespread exposure. The lack of available patches necessitates immediate mitigation efforts by affected organizations.

For European organizations, especially broadcasters and telecom operators using Mozart FM Transmitter devices, this vulnerability poses significant risks. Successful exploitation could lead to unauthorized access to device management interfaces, enabling attackers to manipulate broadcast signals, disrupt services, or exfiltrate sensitive operational data. The confidentiality of credentials and session tokens is at risk, potentially allowing lateral movement within critical infrastructure networks. Given the role of FM transmitters in public communications, exploitation could also impact public safety communications or emergency alert systems. The persistent nature of stored XSS increases the likelihood of repeated exploitation. The impact extends beyond individual devices to the broader network and service availability, potentially causing reputational damage and regulatory consequences under GDPR if personal data is compromised.

Specific mitigations include: 1) Immediate restriction of access to the transmitter's web management interface using network segmentation and firewall rules to limit exposure to trusted administrators only. 2) Implement input validation and output encoding on filenames before they are stored or rendered, ideally by applying patches or firmware updates once available. 3) Employ web application firewalls (WAFs) capable of detecting and blocking malicious XML payloads or suspicious script injections targeting patchlist.xml. 4) Conduct regular security audits and monitoring of device logs for unusual filename entries or access patterns. 5) Educate administrators to avoid opening or interacting with suspicious filenames or updates. 6) If possible, disable or isolate ajax.js processing of patchlist.xml until a secure fix is deployed. 7) Coordinate with DB Electronica Telecomunicazioni S.p.A. for timely patches and advisories. 8) Implement multi-factor authentication and session management hardening on management interfaces to reduce impact if exploitation occurs.