The vulnerability CVE-2025-66260 affects the Mozart FM Transmitter devices produced by DB Electronica Telecomunicazioni S.p.A., spanning a wide range of versions from 30 to 7000. The root cause is an SQL injection flaw in the status_sql.php script, which handles parameters sw1 and sw2. These parameters are incorporated directly into SQL UPDATE queries without employing parameterized queries or escaping functions such as pg_escape_string(), leading to injection opportunities. PostgreSQL's pg_exec function limits exploitation by disallowing stacked queries, but attackers can still craft subqueries within the injected input to extract sensitive data from the database. Additionally, verbose error messages returned by the system can aid attackers in reconnaissance and refining their injection payloads. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and availability with limited integrity impact. Despite the absence of known exploits or patches, the vulnerability poses a significant threat to affected systems, especially those exposed to untrusted networks.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive configuration or operational data stored in the Mozart FM Transmitter's PostgreSQL database. This could compromise confidentiality and potentially disrupt transmitter operations, impacting broadcast services. Given the critical role of FM transmitters in communication infrastructure, successful attacks could degrade service availability or enable further lateral movement within networks. Organizations in sectors such as broadcasting, emergency services, and telecommunications that rely on these devices are particularly at risk. The lack of authentication requirements means attackers can exploit the vulnerability remotely if the device interfaces are exposed to untrusted networks, increasing the attack surface. The impact is heightened in environments where these transmitters are integrated into critical communication systems, potentially affecting public safety and information dissemination.

Immediate mitigation should focus on restricting network access to the status_sql.php endpoint by implementing strict firewall rules and network segmentation to limit exposure to trusted management networks only. Device administrators should monitor logs for unusual requests to sw1 and sw2 parameters indicative of injection attempts. Since no patches are currently available, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting these parameters. Additionally, vendors and users should prioritize developing and applying firmware or software updates that implement parameterized queries or proper input sanitization using pg_escape_string() or equivalent. Regular security assessments and penetration testing of the transmitter interfaces should be conducted to identify exploitation attempts. Finally, organizations should prepare incident response plans to quickly address potential breaches stemming from this vulnerability.