CVE-2025-66260
📋 TL;DR
This SQL injection vulnerability in DB Electronica Telecomunicazioni's Mozart FM Transmitter allows attackers to execute arbitrary SQL queries via the status_sql.php endpoint. Attackers can exfiltrate database contents and perform reconnaissance through verbose error messages. All Mozart FM Transmitter versions 30 through 7000 are affected.
💻 Affected Systems
- DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter
📦 What is this software?
Mozart Dds Next 1000 Firmware by Dbbroadcast
Mozart Dds Next 2000 Firmware by Dbbroadcast
Mozart Dds Next 3000 Firmware by Dbbroadcast
Mozart Dds Next 3500 Firmware by Dbbroadcast
Mozart Dds Next 6000 Firmware by Dbbroadcast
Mozart Dds Next 7000 Firmware by Dbbroadcast
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive configuration data, user credentials, and system information exfiltration leading to full system takeover.
Likely Case
Data exfiltration from PostgreSQL database including configuration details, potentially leading to further system compromise.
If Mitigated
Limited information disclosure through error messages if input validation is partially implemented.
🎯 Exploit Status
Exploitation is straightforward as no authentication is required and the vulnerability is in a web endpoint with direct SQL injection via GET/POST parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
No official patch available. Implement workarounds or contact vendor for updated firmware.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection rules to block malicious requests to status_sql.php
Network Access Control
linuxRestrict access to the Mozart FM Transmitter web interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Disable or block access to the status_sql.php endpoint at the network level
- Implement strict input validation and parameterized queries if source code modification is possible
🔍 How to Verify
Check if Vulnerable:
Send a test request to /status_sql.php with SQL injection payload in sw1 or sw2 parameters and check for database errors or unexpected responsesCheck Version:
Check web interface or device management console for firmware version informationVerify Fix Applied:
Test with SQL injection payloads after implementing fixes - successful fix should return generic error or no data leakage📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple requests to status_sql.php with SQL keywords in parameters
- Requests containing UNION, SELECT, or other SQL injection patterns
Network Indicators:
- HTTP requests to /status_sql.php with SQL syntax in parameters
- Unusual database query patterns from web server IP
SIEM Query:
source="web_logs" AND uri="/status_sql.php" AND (param="sw1" OR param="sw2") AND (content CONTAINS "UNION" OR content CONTAINS "SELECT" OR content CONTAINS "' OR '")