CVE-2025-66259 is a critical vulnerability affecting multiple versions of the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A. The root cause is improper input validation (CWE-20) in the main_ok.php script, where user-supplied parameters related to hour and time are directly passed into a shell date command without sanitization. This improper filtering allows an authenticated attacker with high privileges to inject arbitrary shell commands, leading to remote code execution with root-level permissions. The vulnerability affects a wide range of product versions (30 through 7000), indicating a systemic issue in the software design. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), but with privileges required (PR:H), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:N). The scope is high (SC:H), indicating that the vulnerability affects components beyond the initially vulnerable one, and the impact is significant. Although no public exploits are currently known, the criticality and ease of exploitation through authenticated access make this a severe threat. The vulnerability could allow attackers to take full control of affected devices, disrupt broadcasting services, manipulate transmitted content, or use the devices as pivot points for further network compromise. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations.

For European organizations, especially those in broadcasting, telecommunications, and media sectors using DB Electronica's Mozart FM Transmitters, this vulnerability poses a severe risk. Successful exploitation could lead to complete device compromise, allowing attackers to disrupt FM transmission services, manipulate broadcast content, or cause denial of service. This could impact public communication channels, emergency broadcast systems, and commercial media operations. The root-level access gained could also be leveraged to move laterally within organizational networks, threatening broader IT infrastructure. Given the criticality of broadcast infrastructure in Europe for public safety and information dissemination, the impact extends beyond commercial loss to potential societal disruption. The vulnerability's presence in multiple product versions increases the attack surface, and the lack of known exploits does not preclude imminent attacks, especially from advanced persistent threat actors targeting critical infrastructure. Organizations may face regulatory and reputational consequences if exploitation leads to service outages or data integrity issues.

Immediate mitigation steps include restricting access to the affected devices to trusted administrators only, ideally via secure management networks isolated from general enterprise or public networks. Implement strict authentication and authorization controls to limit who can reach the main_ok.php interface. Employ network segmentation and firewall rules to block unauthorized inbound connections to transmitter management interfaces. Monitor device logs and network traffic for unusual command execution patterns or unexpected shell activity. Until official patches are released, consider disabling or restricting functionality that processes user-supplied time/hour inputs if feasible. Engage with DB Electronica Telecomunicazioni S.p.A. for timely patch updates and apply them promptly once available. Conduct thorough security audits of all Mozart FM Transmitter devices in use to identify vulnerable versions and prioritize remediation. Develop incident response plans specific to transmitter compromise scenarios, including backup and recovery procedures to minimize broadcast disruption. Additionally, implement application-layer input validation and sanitization controls where possible to prevent injection attacks.