CVE-2025-66262 is a critical security vulnerability classified under CWE-22 (Path Traversal) affecting DB Electronica Telecomunicazioni S.p.A.'s Mozart FM Transmitter devices across a wide range of versions (30 through 7000). The root cause lies in the restore_mozzi_memories.sh script, which extracts tar archives using the '-C /' option, directing extracted files to the root filesystem without validating the archive's internal file paths. This lack of path sanitization allows an attacker to craft malicious tar archives containing filenames with path traversal sequences (e.g., ../../etc/shadow), enabling arbitrary file overwrite on the target system. The vulnerability is exacerbated by the presence of unauthenticated file upload vulnerabilities (referenced as CVE-01, CVE-06, CVE-07), which allow attackers to upload these crafted archives without authentication or user interaction. By overwriting critical system files such as /etc/shadow or web server files (e.g., /var/www/index.php), attackers can achieve full system compromise, including privilege escalation and persistent backdoors. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/AU:N) reflects network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. While no public exploits are currently known, the vulnerability's characteristics make it highly exploitable and dangerous. The affected product line is specialized hardware used in FM transmission, indicating a niche but critical target, especially for broadcasting infrastructure.

For European organizations, particularly broadcasters, telecom operators, and infrastructure providers using Mozart FM Transmitter devices, this vulnerability poses severe risks. Successful exploitation can lead to full system compromise, enabling attackers to overwrite critical system files, disrupt broadcasting services, manipulate transmitted content, or gain persistent access to internal networks. The confidentiality of sensitive data, including authentication credentials stored in /etc/shadow, can be compromised, leading to further lateral movement within networks. Integrity and availability of transmission services can be severely impacted, causing outages or misinformation dissemination. Given the critical role of FM transmitters in public communication and emergency broadcasting, exploitation could have cascading effects on public safety and information reliability. Additionally, the lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of targeted attacks or automated exploitation campaigns. The potential for reputational damage and regulatory penalties under European cybersecurity and data protection laws (e.g., NIS Directive, GDPR) further elevates the impact.

1. Immediately restrict or disable unauthenticated file upload functionalities associated with the affected devices until patches are available. 2. Implement strict validation and sanitization of all uploaded archive contents, ensuring no path traversal sequences are present before extraction. 3. Modify or replace the restore_mozzi_memories.sh script to avoid extracting archives directly to the root filesystem; instead, extract to a controlled, isolated directory with limited permissions. 4. Employ application-layer firewalls or intrusion prevention systems to detect and block suspicious tar archive uploads or path traversal attempts. 5. Monitor device logs and network traffic for unusual file upload activities or unexpected modifications to critical system files. 6. Coordinate with DB Electronica Telecomunicazioni S.p.A. for timely security patches or firmware updates addressing this vulnerability. 7. Conduct thorough security audits of all Mozart FM Transmitter devices in use, verifying configuration and patch status. 8. Where possible, segment transmitter devices on isolated network segments to limit attacker lateral movement if compromised. 9. Educate operational staff on the risks and signs of exploitation attempts related to this vulnerability.