CVE-2025-66258 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Mozart FM Transmitter products by DB Electronica Telecomunicazioni S.p.A. The vulnerability affects a wide range of product versions, from 30 up to 7000. The root cause is the insecure concatenation of user-controlled filenames into the patchlist.xml file without proper encoding or sanitization. Attackers can craft malicious filenames containing JavaScript payloads (e.g., <img src=x onerror=alert()>.bin) that get stored in patchlist.xml. When the transmitter's web interface loads this XML file via ajax.js, the malicious script executes in the user's browser context. This stored XSS can be exploited remotely without authentication, though it requires user interaction to trigger the payload. The vulnerability impacts confidentiality, integrity, and availability by enabling session hijacking, defacement, or unauthorized commands through the web interface. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N) reflects network attack vector, low attack complexity, no privileges required, partial user interaction, and high impact on confidentiality and scope. No patches or exploits are currently publicly available, but the vulnerability demands urgent attention due to the critical role of FM transmitters in broadcast operations.

For European organizations, this vulnerability poses a significant risk to the security and integrity of broadcast infrastructure managed via the Mozart FM Transmitter. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the transmitter's management interface, potentially leading to session hijacking, unauthorized configuration changes, or disruption of broadcast services. This could result in reputational damage, regulatory non-compliance (especially under GDPR if personal data is involved), and operational downtime. Given the critical nature of broadcast infrastructure in media, emergency communications, and public information dissemination, the impact extends beyond IT to societal and economic domains. Attackers could also leverage this vulnerability as a foothold for lateral movement within organizational networks. The lack of known exploits currently provides a window for proactive mitigation, but the broad range of affected versions increases the attack surface across European broadcasters and telecom operators using these devices.

1. Immediate mitigation should involve restricting access to the transmitter's web management interface to trusted networks and users only, using network segmentation and firewall rules. 2. Implement strict input validation and output encoding on filenames and any user-controlled data before inclusion in XML files or rendering in web interfaces. 3. Monitor and audit patchlist.xml and related files for unexpected or suspicious entries that could indicate attempted exploitation. 4. Employ Content Security Policy (CSP) headers on the web interface to limit the execution of unauthorized scripts. 5. If possible, disable or limit the use of ajax.js or replace it with a secure alternative that properly sanitizes XML data. 6. Engage with the vendor for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 7. Train administrators and users to recognize and avoid interacting with suspicious filenames or links related to the transmitter management. 8. Consider deploying web application firewalls (WAFs) capable of detecting and blocking XSS payloads targeting the transmitter's interface. 9. Maintain regular backups and incident response plans tailored for broadcast infrastructure to quickly recover from potential compromises.