CVE-2025-66260 is a SQL injection vulnerability classified under CWE-89, affecting the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A., spanning versions 30 through 7000. The vulnerability resides in the status_sql.php script, which constructs SQL UPDATE statements by directly concatenating the sw1 and sw2 HTTP parameters without employing parameterized queries or escaping functions like pg_escape_string(). This unsafe coding practice allows an attacker to inject malicious SQL code. Although PostgreSQL's pg_exec function restricts execution of multiple stacked queries, the attacker can still leverage subqueries within the injected input to exfiltrate data from the database. Additionally, verbose error messages returned by the server can aid attackers in enumerating database schema and refining their injection payloads. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 7.2 (high), reflecting the ease of exploitation and the significant impact on confidentiality and availability, with limited impact on integrity. No known public exploits or patches are currently available, increasing the urgency for affected organizations to implement mitigations. The affected product is specialized hardware/software used in FM transmission systems, which may be deployed in broadcast infrastructure across various countries.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive configuration or operational data from the Mozart FM Transmitter devices, potentially exposing network topology, broadcast parameters, or credentials. This data leakage could facilitate further attacks on broadcast infrastructure or related systems. Additionally, attackers could disrupt transmitter operation by manipulating database entries, causing denial of service or degraded broadcast quality, impacting service availability. Given the critical role of FM transmitters in public communication and emergency broadcasts, such disruptions could have significant societal and economic consequences. Confidentiality breaches may also expose proprietary or regulatory information, leading to compliance violations under GDPR or other data protection laws. The lack of authentication requirement and remote exploitability increases the threat level for organizations operating these devices in Europe, especially in sectors like media, emergency services, and government communications.

Organizations should immediately audit their Mozart FM Transmitter deployments to identify affected versions (30 through 7000). Until a vendor patch is released, implement network-level protections such as restricting access to the status_sql.php endpoint via firewall rules or VPNs, limiting exposure to trusted management networks only. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting sw1 and sw2 parameters. Monitor logs for unusual query patterns or error messages indicative of injection attempts. Engage with the vendor for timely patch releases and apply updates as soon as available. Consider isolating transmitter management interfaces from general network access and enforcing strict access controls. Additionally, conduct regular security assessments and penetration tests focusing on SQL injection vectors in device management interfaces. Document and train operational staff on incident response procedures related to potential exploitation of this vulnerability.