CVE-2025-66252 in Mozart FM Transmitter
Summary
by MITRE • 11/26/2025
Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/04/2025
The vulnerability identified as CVE-2025-66252 represents a critical denial of service weakness in the Mozart FM Transmitter software produced by DB Electronica Telecomunicazioni S.p.A. This flaw manifests specifically within the status_contents.php component of affected versions including 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000. The core technical issue stems from improper error handling during file deletion operations where the unlink() system call executes within an infinite loop structure. When the unlink() operation fails due to various conditions such as immutable file attributes or insufficient process permissions, the application enters a continuous loop attempting to remove the same file repeatedly. This design flaw directly violates security principles outlined in CWE-835, which specifically addresses infinite loops and their potential for denial of service exploitation. The vulnerability operates at the system call level where the operating system's file deletion mechanism encounters persistent failures, creating a resource exhaustion scenario that ultimately renders the affected system unavailable to legitimate users.
The operational impact of this vulnerability extends beyond simple service disruption to encompass complete system unavailability for legitimate operations. When an attacker successfully triggers this condition, the affected system becomes trapped in an infinite loop consuming CPU resources and preventing normal processing of other requests. The continuous loop execution prevents the application from proceeding to subsequent code sections, effectively blocking all further functionality within the status_contents.php module. This behavior aligns with ATT&CK technique T1499.004, which describes denial of service through resource exhaustion. The vulnerability affects the availability aspect of the CIA triad by preventing legitimate users from accessing system functions, while also potentially impacting system integrity through the unauthorized manipulation of system resources. Network operations and real-time processing capabilities would be severely compromised, particularly in broadcast environments where continuous operation is critical for maintaining service quality and reliability.
Mitigation strategies for CVE-2025-66252 must address both immediate defensive measures and long-term architectural improvements to prevent similar issues in future implementations. Immediate remediation efforts should focus on implementing proper error handling mechanisms that break out of loops when unlink() operations fail, incorporating timeout limits for deletion attempts, and adding proper logging of failed deletion events. The code should be modified to check file attributes and permissions before attempting deletion operations, and implement retry limits with exponential backoff mechanisms rather than infinite loops. Security patches should include validation of file system states and proper exception handling that prevents the application from entering infinite execution paths. Organizations should also implement monitoring solutions to detect unusual CPU utilization patterns that might indicate loop execution, while following ATT&CK framework recommendations for system hardening and access control enforcement. Additionally, the implementation of automated fail-safe mechanisms that can detect and terminate runaway processes will provide additional protection against this type of denial of service attack. The fix should also incorporate proper input validation and sanitization to prevent malicious inputs from triggering the vulnerable code path, ensuring that all file operations include appropriate boundary checks and permission verification before execution.