Overview
CVE-2025-66261 details a critical unauthenticated OS command injection vulnerability found in DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. This vulnerability allows an attacker to execute arbitrary commands on the underlying operating system without authentication, potentially leading to complete system compromise.
Technical Details
The vulnerability resides in the /var/tdf/restore_settings.php endpoint. The application improperly handles the name parameter passed via the $_GET array. Specifically, the value of the name parameter is processed through the urldecode() function and then directly passed to the exec() function without any validation or sanitization.
This lack of validation allows an attacker to inject arbitrary shell commands by including metacharacters such as ;, |, or && within the name parameter. These metacharacters are used to chain commands in the shell, allowing an attacker to execute commands beyond the intended functionality of the restore_settings.php script.
Because the exec() function executes commands as the web server user, a successful attack results in remote code execution (RCE) under the privileges of that user. This can be leveraged to escalate privileges and gain complete control of the affected system.
Example Attack Vector:
An attacker could send a request similar to the following:
GET /var/tdf/restore_settings.php?name=test;rebootIn this example, the reboot command would be executed after the (likely nonexistent) file “test” is processed, causing the FM Transmitter to reboot.
CVSS Analysis
Unfortunately, the CVSS score is not currently available (N/A). However, given the unauthenticated nature of the vulnerability and the potential for remote code execution, it would likely be rated as critical with a CVSS score of 9.0 or higher once assigned. A complete lack of authentication coupled with the ability to inject OS commands directly leads to extreme severity.
Possible Impact
The impact of this vulnerability is severe. Successful exploitation can allow attackers to:
- Gain complete control of the FM Transmitter.
- Steal sensitive information, including configuration data and credentials.
- Disrupt broadcast services.
- Use the compromised device as a foothold to attack other systems on the network.
- Install malware or backdoors for persistent access.
Mitigation or Patch Steps
The following steps are recommended to mitigate this vulnerability:
- Apply the Security Patch: DB Elettronica Telecomunicazioni S.p.A. should release a security patch that properly sanitizes or validates the
nameparameter before passing it to theexec()function. Immediately apply the patch when it becomes available. Contact DB Elettronica support for specific instructions on how to obtain and install the patch. - Input Validation: Implement strict input validation on the
nameparameter. Specifically, avoid using user-supplied data directly in shell commands. If thenameparameter represents a filename, validate that the filename exists and conforms to expected patterns. - Principle of Least Privilege: Ensure the web server process is running with the minimum necessary privileges to perform its required functions. Avoid running the web server as root.
- Network Segmentation: Segment the FM Transmitter network from other critical infrastructure to limit the potential impact of a successful attack.
- Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) with rules designed to detect and block OS command injection attempts. However, this is not a replacement for patching the underlying vulnerability.
References
Abdulmhsblog.com: Detailed Analysis of WebFM Vulnerabilities
