Overview
CVE-2025-66260 details a critical SQL injection vulnerability found in DB Elettronica Telecomunicazioni S.p.A. Mozart FM Transmitters. Specifically, versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 are affected. The vulnerability resides within the `status_sql.php` endpoint, potentially allowing attackers to execute arbitrary SQL commands on the underlying PostgreSQL database.
Technical Details
The vulnerability stems from the `status_sql.php` endpoint’s improper handling of user-supplied input. The script constructs SQL `UPDATE` queries by directly concatenating the values of the `sw1` and `sw2` parameters without proper sanitization or the use of parameterized queries. Crucially, the code fails to use functions like `pg_escape_string()` to properly escape user-provided data before embedding it in SQL queries. This direct concatenation opens the door to SQL injection attacks.
While PostgreSQL’s `pg_exec` limitations prevent the direct execution of stacked queries, an attacker can still exploit this vulnerability to:
- Exfiltrate Data: Inject subqueries within the vulnerable parameters to extract sensitive information from other database tables.
- Reconnaissance: Leverage verbose PostgreSQL error messages (if enabled in the server configuration) to gather information about the database structure, versions, and other internal details. These error messages can be triggered by deliberately crafting invalid SQL queries.
CVSS Analysis
Currently, the CVSS score for CVE-2025-66260 is not available (N/A). A proper CVSS score will depend on a number of factors including the impact of successful exploitation on confidentiality, integrity, and availability; and whether local or remote access is required for exploitation. Given the potential for data exfiltration, it is expected that once assigned, the CVSS score will reflect a high level of severity.
Possible Impact
A successful SQL injection attack on a Mozart FM Transmitter could have significant consequences, including:
- Data Breach: Exposure of sensitive configuration data, user credentials, or other confidential information stored in the database.
- System Compromise: Depending on the database permissions and the injected SQL commands, an attacker could potentially gain control over the underlying operating system and the FM transmitter itself.
- Service Disruption: Manipulation of the database could lead to malfunctions or complete failure of the FM transmission system, resulting in significant downtime.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-66260, the following steps are recommended:
- Apply the Patch: Contact DB Elettronica Telecomunicazioni S.p.A. and immediately apply the official patch or firmware update that addresses this vulnerability. This is the most effective way to resolve the issue.
- Input Sanitization: If patching is not immediately possible, implement robust input validation and sanitization measures. Specifically, use parameterized queries or, at a minimum, properly escape all user-provided input using `pg_escape_string()` before incorporating it into SQL queries.
- Principle of Least Privilege: Ensure that the database user account used by the FM transmitter application has only the minimum necessary privileges required for its operation. Avoid granting excessive permissions that could be exploited by an attacker.
- Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to detect and block malicious SQL injection attempts. Configure the WAF with rules specifically designed to protect against SQL injection attacks.
- Database Auditing: Enable database auditing to track all SQL queries executed against the database. This can help detect and investigate suspicious activity.
