CVE-2025-66261 is an unauthenticated OS command injection vulnerability identified in the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A. The vulnerability resides in the restore_settings.php script located at /var/tdf/restore_settings.php. Specifically, the 'name' parameter received via HTTP GET is URL-decoded using urldecode() and then passed directly into the PHP exec() function without any sanitization or validation. This unsafe handling allows attackers to inject arbitrary shell commands by including shell metacharacters such as ';', '|', or '&&' within the 'name' parameter. Because the endpoint does not require authentication, any remote attacker with network access to the device's web interface can exploit this vulnerability to execute arbitrary commands with the privileges of the web server user. The affected versions include a broad range of Mozart FM Transmitter models (30 through 7000), indicating a widespread issue across the product line. The vulnerability has a CVSS 4.0 score of 9.9, reflecting its critical nature due to the ease of exploitation (no authentication or user interaction required), high impact on confidentiality, integrity, and availability, and the absence of any security controls mitigating the attack. While no public exploits or patches are currently known, the risk of remote code execution on critical broadcast equipment poses a significant threat to operational continuity and security. Attackers could leverage this flaw to disrupt FM transmission services, manipulate broadcast content, or use compromised devices as pivot points within organizational networks.

For European organizations, particularly broadcasters and telecommunications providers using Mozart FM Transmitters, this vulnerability presents a severe risk. Exploitation could lead to unauthorized remote code execution, allowing attackers to disrupt FM broadcast services, alter transmitted content, or cause denial of service. This could damage organizational reputation, violate regulatory compliance related to broadcast integrity, and potentially impact public safety communications. Additionally, compromised devices could serve as entry points for lateral movement within corporate networks, threatening broader IT infrastructure. The criticality is heightened in countries with dense broadcast networks or where these devices are widely deployed. The lack of authentication and ease of exploitation mean that attackers can operate remotely without prior access, increasing the likelihood of attacks. The absence of known patches or mitigations further exacerbates the risk, necessitating immediate defensive measures. Operational disruptions could have cascading effects on media outlets, emergency broadcast systems, and telecommunications services across Europe.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include restricting network access to the transmitter's web management interface through network segmentation and firewall rules, allowing only trusted administrative hosts to connect. Employ VPNs or secure tunnels for remote management to prevent exposure to the public internet. Monitor network traffic for suspicious requests targeting restore_settings.php with unusual 'name' parameter values containing shell metacharacters. Implement web application firewalls (WAFs) with custom rules to detect and block command injection patterns. Disable or restrict the restore_settings.php endpoint if not required for normal operations. Conduct thorough audits of device configurations and logs to detect any signs of compromise. Engage with the vendor for updates or patches and plan for timely firmware upgrades once available. Additionally, consider deploying intrusion detection systems (IDS) tuned for command injection attempts and maintain up-to-date asset inventories to identify all affected devices. Training operational staff to recognize signs of exploitation and establishing incident response plans specific to broadcast infrastructure compromise are also recommended.