CVE-2025-66263 is an unauthenticated arbitrary file read vulnerability affecting multiple versions of the Mozart FM Transmitter product line by DB Electronica Telecomunicazioni S.p.A. The root cause lies in the download_setting.php script, which constructs file paths by concatenating a user-controlled 'filename' GET parameter with a fixed '.tgz' extension. The application runs on PHP version 5.3.2, which is vulnerable to null byte injection attacks due to improper string termination handling in underlying C functions. By injecting a null byte (%00) into the filename parameter, an attacker can truncate the string before the '.tgz' extension, effectively bypassing the intended file extension restriction. This enables directory traversal attacks allowing arbitrary file reads of any file accessible by the web server user, such as sensitive configuration files or password files (e.g., /etc/passwd). The vulnerability requires no authentication or user interaction, making it highly exploitable remotely. The affected versions include a broad range of Mozart FM Transmitter models (30 through 7000), indicating widespread exposure. The CVSS 4.0 base score is 8.9 (high), reflecting the network vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. Although no known exploits have been reported in the wild yet, the vulnerability's characteristics suggest it could be weaponized easily. The vulnerability is classified under CWE-158 (Improper Neutralization of Null Byte or Encoded Null Byte). No patches are currently linked, so mitigation relies on configuration changes and environment upgrades.

For European organizations, especially broadcasters and telecommunications providers using Mozart FM Transmitter devices, this vulnerability poses a significant risk of sensitive information disclosure. Attackers could access configuration files, credentials, or other sensitive data stored on the device, potentially leading to further compromise or disruption of broadcasting services. The unauthenticated nature of the exploit means attackers can remotely target devices exposed to the internet or accessible within internal networks without needing credentials. This could undermine the confidentiality of operational data and potentially impact the integrity of broadcast configurations if combined with other attacks. Given the critical role of FM transmitters in communication infrastructure, exploitation could also affect availability indirectly by enabling attackers to gather intelligence for subsequent attacks. The broad range of affected device versions increases the likelihood of exposure across multiple European countries. The high CVSS score reflects the severity and ease of exploitation, emphasizing the need for urgent attention to mitigate risks.

1. Immediately restrict network access to the download_setting.php endpoint by implementing firewall rules or network segmentation to limit exposure to trusted management networks only. 2. Upgrade the PHP environment on the affected devices to a version later than 5.3.4, where null byte injection vulnerabilities are addressed. 3. Apply any vendor-supplied patches or firmware updates as soon as they become available from DB Electronica Telecomunicazioni S.p.A. 4. If patching is not immediately possible, implement web application firewall (WAF) rules to detect and block requests containing null byte characters or suspicious traversal patterns targeting the filename parameter. 5. Conduct an audit of exposed devices to identify any signs of compromise or unauthorized file access. 6. Review and harden file permissions on the device to minimize the files accessible by the web server user. 7. Monitor network traffic and logs for anomalous requests targeting download_setting.php or unusual file access patterns. 8. Consider isolating vulnerable devices from public networks until mitigations are in place. 9. Educate operational teams about the risks and ensure incident response plans include this vulnerability scenario.