Overview
CVE-2025-66253 describes a critical unauthenticated OS command injection vulnerability affecting multiple versions of DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitters. Specifically, versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 are vulnerable. The vulnerability resides in the `start_upgrade.php` file, which allows an attacker to execute arbitrary operating system commands without authentication.
Technical Details
The vulnerability stems from the fact that user input passed to the `$_GET[“filename”]` parameter within the `/var/tdf/start_upgrade.php` endpoint is directly passed into the `exec()` function without proper sanitization or shell escaping. This allows an attacker to inject arbitrary shell commands by using metacharacters such as `;`, `|`, `&&`, etc.
For example, an attacker could craft a malicious URL like this:
/var/tdf/start_upgrade.php?filename=evil;id;This would execute the `id` command on the server, revealing information about the user the web server is running as (likely root).
CVSS Analysis
Due to the lack of a CVSS score provided by the official CVE details, a precise evaluation is not possible. However, given the unauthenticated nature of the vulnerability and the ability to achieve remote code execution as root, it is highly likely that this vulnerability would receive a Critical severity rating with a CVSS score between 9.0 and 10.0. A critical CVSS score is warranted due to the low attack complexity and high impact (complete confidentiality, integrity, and availability impact).
Possible Impact
The exploitation of CVE-2025-66253 could have severe consequences, including:
- Complete System Compromise: An attacker could gain full control of the affected FM transmitter.
- Data Exfiltration: Sensitive information stored on the device could be accessed and stolen.
- Malware Installation: The compromised device could be used to install malware.
- Denial of Service (DoS): The attacker could disrupt the normal operation of the FM transmitter, leading to broadcasting outages.
- Lateral Movement: The compromised device could be used as a stepping stone to attack other systems on the same network.
Mitigation and Patch Steps
The most effective mitigation is to apply the official patch provided by DB Elettronica Telecomunicazioni S.p.A. Contact the vendor directly or check their website for updates and security advisories related to CVE-2025-66253.
In the interim, if patching is not immediately possible, consider the following temporary mitigations:
- Network Segmentation: Isolate the FM transmitter on a separate network segment with limited access from other systems.
- Access Control Lists (ACLs): Restrict access to the `/var/tdf/start_upgrade.php` endpoint to only authorized IP addresses. This is highly recommended but will not prevent exploitation from authorized systems.
- Web Application Firewall (WAF): Implement a WAF to detect and block malicious requests targeting the `/var/tdf/start_upgrade.php` endpoint. The WAF should be configured to look for shell metacharacters and other command injection attempts.
- Input Validation (If possible): If you have access to the source code, implement strict input validation on the `filename` parameter to ensure it only contains expected characters and does not include any shell metacharacters. However, relying on this without patching is risky.
