CVE-2025-66262 is a critical vulnerability affecting multiple versions (30 through 7000) of the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A. The root cause is a path traversal flaw (CWE-22) in the restore_mozzi_memories.sh script, which extracts user-supplied tar archives using the command tar -C / without validating the paths of the files inside the archive. This allows an attacker to craft a malicious .tgz archive containing filenames with directory traversal sequences (e.g., ../../etc/shadow) that cause files to be extracted outside the intended directory, directly into the root filesystem. When combined with unauthenticated file upload vulnerabilities previously identified (CVE-01, CVE-06, CVE-07), an attacker can upload these malicious archives without authentication or user interaction. This leads to arbitrary file overwrite of critical system files such as /etc/shadow or web server files like /var/www/index.php, enabling full system compromise including privilege escalation, persistent backdoors, or denial of service. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity with network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the ease of exploitation and impact make this a high-risk threat. The vulnerability affects a wide range of product versions, indicating a systemic issue in the software design. The lack of patch links suggests that fixes may not yet be publicly available, increasing urgency for mitigation. Organizations using these transmitters in their broadcast infrastructure are at risk of operational disruption and data compromise if exploited.

For European organizations, especially broadcasters and telecom operators using DB Electronica's Mozart FM Transmitters, this vulnerability poses a severe risk. Successful exploitation can lead to full system compromise, allowing attackers to overwrite critical system files, escalate privileges, implant persistent malware, disrupt broadcast services, or manipulate transmitted content. This can result in significant operational downtime, loss of data integrity, and potential regulatory non-compliance due to compromised system security. Given the critical role of FM transmitters in media and emergency communication, exploitation could also impact public safety communications. The unauthenticated nature of the exploit means attackers can remotely compromise devices without insider access, increasing the attack surface. The broad range of affected versions implies many deployed devices are vulnerable, potentially affecting multiple European countries with active DB Electronica deployments. The lack of known exploits in the wild currently provides a window for proactive defense, but the critical severity demands immediate attention.

1. Immediately audit all Mozart FM Transmitter devices to identify affected versions and disable or restrict access to the restore_mozzi_memories.sh script if possible. 2. Implement strict validation and sanitization of all uploaded tar archives to prevent path traversal, including rejecting archives with filenames containing '..' or absolute paths. 3. Apply any vendor-provided patches or updates as soon as they become available; if no patches exist, consider isolating vulnerable devices on segmented networks with strict access controls. 4. Monitor device logs and network traffic for suspicious file upload activity or unexpected file modifications, especially targeting system files like /etc/shadow or web directories. 5. Employ application whitelisting or integrity monitoring tools on transmitter devices to detect unauthorized file changes. 6. Restrict unauthenticated file upload capabilities by enforcing authentication and authorization controls. 7. Conduct regular security assessments and penetration tests focused on file upload and extraction functionalities. 8. Coordinate with DB Electronica Telecomunicazioni S.p.A. for timely vulnerability disclosures and remediation guidance.