Overview
CVE-2025-66259 details a critical remote code execution (RCE) vulnerability affecting DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitters. The vulnerability allows an authenticated attacker with administrative privileges to execute arbitrary code with root privileges on the affected device. This is due to insufficient user input validation within the main_ok.php script.
Affected versions include 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000.
Technical Details
The vulnerability stems from the main_ok.php script, where user-supplied data related to date and time settings (data, hour, time) is passed directly into the date shell command without proper sanitization. This lack of input filtering allows an attacker to inject arbitrary shell commands through these parameters. Because the web application operates with elevated privileges (likely root), the injected commands are executed with root privileges.
Example attack scenario:
POST /main_ok.php HTTP/1.1
Host: [target_ip]
...
data=2025-12-01; id && &hour=12&time=00
In this simplified example, injecting ; id && into the data parameter would, if unsanitized, result in the following being executed as root:
date -s "2025-12-01; id && ; 12:00:00"
Which would then execute the id command revealing the privileges of the webserver.
CVSS Analysis
Unfortunately, a CVSS score and severity are currently unavailable (N/A). However, based on the nature of the vulnerability (Authenticated Root Remote Code Execution), it is highly likely to be assigned a Critical severity with a CVSS score of 9.0 or higher upon further analysis. The ability to remotely execute code as root on a network device has severe implications.
Possible Impact
Successful exploitation of CVE-2025-66259 can have devastating consequences, including:
- Full System Compromise: An attacker gains complete control over the FM transmitter, including its configuration, operation, and data.
- Malware Installation: The attacker can install malware, backdoors, or other malicious software on the device.
- Data Theft: Sensitive information stored on or processed by the transmitter can be stolen.
- Denial of Service (DoS): The attacker can disrupt or completely disable the transmitter’s functionality, causing broadcast outages.
- Pivot Point: The compromised transmitter can be used as a launching point to attack other devices on the network.
Mitigation and Patch Steps
Until an official patch is released by DB Elettronica, the following mitigation steps are recommended:
- Restrict Network Access: Limit network access to the FM transmitter to only authorized personnel and devices. Place the device behind a firewall and only allow necessary ports.
- Strong Passwords: Enforce strong, unique passwords for all administrative accounts and regularly rotate them.
- Disable Unnecessary Services: Disable any unnecessary services running on the transmitter.
- Input Validation (If Possible): If the administrator has access to configuration files or the underlying operating system, implement robust input validation and sanitization for the data, hour, and time parameters in
main_ok.php. This should involve whitelisting allowed characters and formats, and escaping special characters before passing them to thedatecommand. - Monitor for Suspicious Activity: Continuously monitor the transmitter for any unusual activity, such as unexpected network connections, process execution, or file modifications.
- Contact DB Elettronica: Contact DB Elettronica support immediately to inquire about a patch or workaround.
Important: The best course of action is to apply the official patch released by DB Elettronica as soon as it becomes available.
