CVE-2025-66261
📋 TL;DR
This CVE describes an unauthenticated OS command injection vulnerability in DB Electronica Telecomunicazioni Mozart FM Transmitters. Attackers can execute arbitrary shell commands on affected devices by sending specially crafted requests to the restore_settings.php endpoint. All Mozart FM Transmitter models (30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000) are affected.
💻 Affected Systems
- DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter
📦 What is this software?
Mozart Dds Next 1000 Firmware by Dbbroadcast
Mozart Dds Next 2000 Firmware by Dbbroadcast
Mozart Dds Next 3000 Firmware by Dbbroadcast
Mozart Dds Next 3500 Firmware by Dbbroadcast
Mozart Dds Next 6000 Firmware by Dbbroadcast
Mozart Dds Next 7000 Firmware by Dbbroadcast
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install persistent backdoors, exfiltrate sensitive data, pivot to internal networks, or render devices inoperable.
Likely Case
Remote code execution leading to device takeover, configuration modification, service disruption, or use as a foothold for further attacks.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and input validation are implemented.
🎯 Exploit Status
Public technical details available; exploitation requires only HTTP requests with command injection payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check vendor website for security updates. If patch available: 1. Download firmware update 2. Backup current configuration 3. Apply update via web interface 4. Verify functionality.
🔧 Temporary Workarounds
Block vulnerable endpoint
linuxUse web server configuration or firewall rules to block access to /var/tdf/restore_settings.php
iptables -A INPUT -p tcp --dport 80 -m string --string "/var/tdf/restore_settings.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/var/tdf/restore_settings.php" --algo bm -j DROP
Input validation middleware
allImplement input validation to reject malicious characters in name parameter
# Add to restore_settings.php before exec(): if(preg_match('/[;&|`$()\n\r]/', $name)) { die('Invalid input'); }
🧯 If You Can't Patch
- Isolate affected devices in separate network segment with strict firewall rules
- Implement web application firewall (WAF) with command injection protection rules
🔍 How to Verify
Check if Vulnerable:
Send GET request to http://device-ip/var/tdf/restore_settings.php?name=test%3Bid and check if command executes (look for uid/gid in response).Check Version:
Check web interface admin panel or SSH to device and check firmware versionVerify Fix Applied:
Test with same payload after remediation; should receive error or no command execution.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /var/tdf/restore_settings.php with shell metacharacters in parameters
- Unusual process execution from web server user
- Multiple failed exploit attempts
Network Indicators:
- HTTP requests containing ;, |, &, `, $ in query parameters
- Unusual outbound connections from FM transmitter devices
SIEM Query:
source="web_logs" AND uri="/var/tdf/restore_settings.php" AND (query CONTAINS ";" OR query CONTAINS "|" OR query CONTAINS "&")