CVE-2025-66261 is a critical unauthenticated OS command injection vulnerability affecting multiple versions (30 through 7000) of the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A. The vulnerability exists in the /var/tdf/restore_settings.php endpoint, where the 'name' parameter received via HTTP GET is URL-decoded and passed directly to the PHP exec() function without any input validation or escaping. This allows an attacker to inject arbitrary shell commands using metacharacters such as ';', '|', or '&&', leading to remote code execution with the privileges of the web server user. The vulnerability requires no authentication or user interaction, making it trivially exploitable over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N) indicates network attack vector, low complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. The affected devices are specialized FM transmitters used in broadcasting infrastructure, which may be deployed in critical communication environments. Although no public exploits have been reported yet, the straightforward exploitation method and critical impact make this a high-priority vulnerability for affected organizations to address promptly.

The vulnerability allows unauthenticated remote attackers to execute arbitrary OS commands on affected Mozart FM Transmitter devices, potentially leading to full compromise of the device. This can result in unauthorized access to sensitive broadcast configurations, disruption or manipulation of FM transmission services, and use of the compromised device as a foothold for lateral movement within organizational networks. For European organizations, especially broadcasters and telecom operators relying on these devices, this could lead to significant operational outages, reputational damage, and regulatory compliance issues under frameworks like GDPR if personal data or critical infrastructure is impacted. The ability to execute commands as the web server user could also facilitate installation of persistent malware or pivoting attacks against other network assets. Given the criticality and ease of exploitation, the threat poses a severe risk to the availability and integrity of broadcast services and associated communication infrastructure in Europe.

1. Immediately restrict network access to the /var/tdf/restore_settings.php endpoint by implementing firewall rules or network segmentation to limit exposure to trusted management networks only. 2. Disable the restore_settings.php functionality if it is not essential for operations until a patch is available. 3. Monitor network traffic and device logs for suspicious requests containing shell metacharacters or unusual command patterns targeting the 'name' parameter. 4. Engage with DB Electronica Telecomunicazioni S.p.A. to obtain and apply official patches or firmware updates addressing this vulnerability as soon as they are released. 5. Implement web application firewall (WAF) rules to detect and block command injection attempts targeting this endpoint. 6. Conduct thorough security assessments of all Mozart FM Transmitter devices in use to identify any signs of compromise. 7. Establish incident response plans specific to broadcast infrastructure to quickly contain and remediate potential exploitation. 8. Educate operational technology (OT) and IT teams on the risks and detection methods related to this vulnerability.