Full Report
Cybersecurity researchers have disclosed that a critical security flaw impacting ICTBroadcast, an autodialer software from ICT Innovations, has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-2611 (CVSS score: 9.3), relates to improper input validation that can result in unauthenticated remote code execution due to the fact that the call center
Analysis Summary
# Vulnerability: Unauthenticated RCE via Session Cookie Injection in ICTBroadcast
## CVE Details
- CVE ID: CVE-2025-2611
- CVSS Score: 9.3 (Critical)
- CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Affected Systems
- Products: ICTBroadcast (Autodialer software from ICT Innovations)
- Versions: 7.4 and below
- Configurations: Any internet-exposed instance accessible over the network. Approximately 200 instances were noted as exposed online.
## Vulnerability Description
The vulnerability is an unauthenticated Remote Code Execution (RCE) flaw stemming from improper input validation when processing session cookie data (`BROADCAST` cookie). The application unsafely passes this cookie data to shell processing functions, allowing an attacker to inject arbitrary shell commands directly into the session cookie value. These injected commands are then executed by the vulnerable server with the privileges of the application.
## Exploitation
- Status: Exploited in the wild (Observed active exploitation since October 11, 2025)
- Complexity: Low (Unauthenticated remote command injection)
- Attack Vector: Network
**Observed Tactics:** Attackers perform a time-based exploit check (e.g., injecting `"sleep 3"` encoded in Base64 into the `BROADCAST` cookie) followed by attempts to establish reverse shells.
## Impact
- Confidentiality: High (Remote Code Execution can lead to information disclosure)
- Integrity: High (Remote Code Execution allows modification or deletion of data/systems)
- Availability: High (Establishment of reverse shells suggests potential for system compromise or disruption)
## Remediation
### Patches
- No official patch status was available at the time of the report. Contact ICT Innovations for updates.
### Workarounds
- Implement network-level access controls (e.g., firewall rules) to restrict access to the ICTBroadcast server only to known, trusted IP addresses.
- Deploy Web Application Firewall (WAF) rules to inspect and block suspicious inputs within HTTP headers, specifically targeting the `BROADCAST` cookie.
## Detection
- **Indicators of Compromise (IOCs):**
- Look for HTTP requests containing specially crafted `BROADCAST` cookies, potentially containing Base64 encoded commands.
- Observed network connections to external IPs like `143.47.53[.]106` originating from the ICTBroadcast server.
- Observed outbound connections attempting reverse shells, potentially utilizing domains like `localto[.]net`.
- **Detection Methods and Tools:**
- Monitor web/application server logs for anomalous command executions or unusual activity within HTTP cookie fields.
- Monitor network traffic for unexpected outbound connections initiated by the ICTBroadcast service process.
## References
- VulnCheck advisory detailing exploitation: hxxps://www.vulncheck.com/blog/ictbroadcast-kev
- Vendor advisory: (Not specified in the article, contact ICT Innovations)