A significant security flaw has been identified in ICTBroadcast, an autodialer software developed by ICT Innovations, which is currently being actively exploited by cyber attackers. This vulnerability, designated as CVE-2025-2611 with a CVSS score of 9.3, stems from improper input validation that permits unauthenticated remote code execution. Specifically, the application inadequately processes session cookie data, allowing attackers to inject shell commands into a session cookie that the server then executes. This flaw affects ICTBroadcast versions 7.4 and earlier.
VulnCheck, a cybersecurity firm, reported observing exploitation of this vulnerability beginning on October 11, 2025. The attacks typically occur in two phases: an initial time-based exploit check followed by attempts to establish reverse shells. In the first phase, attackers send specially crafted HTTP requests containing a Base64-encoded command in the `BROADCAST` cookie, which translates to `sleep 3`. This command serves as a probe to confirm the server’s susceptibility to command execution. Upon successful execution, the attackers proceed to the second phase, where they attempt to create reverse shells to gain persistent access to the compromised server.
Notably, the attackers have been observed using a `localto[.]net` URL in their payloads and making connections to the IP address `143.47.53[.]106`. These indicators overlap with those identified in a previous campaign detailed by Fortinet in May 2025, which involved the distribution of a Java-based remote access trojan (RAT) named Ratty RAT targeting organizations in Spain, Italy, and Portugal. This suggests potential reuse or shared tooling among different threat actors.
The severity of this vulnerability is underscored by its ease of exploitation and the potential impact on affected systems. Attackers can execute arbitrary shell commands on the server remotely without requiring authentication, potentially compromising the entire server infrastructure. This could lead to unauthorized access to sensitive data, disruption of services, and further propagation of malicious activities within the network.
As of now, there is no information available regarding the availability of patches to address this vulnerability. Organizations using ICTBroadcast are strongly advised to implement the following mitigation strategies:
1. Update Software: Ensure that ICTBroadcast is upgraded to the latest version beyond 7.4, where patches addressing this vulnerability might have been deployed.
2. Input Validation: Implement rigorous input validation mechanisms to scrutinize all data passed through session cookies and eliminate the risk of shell command injection.
3. Network Segmentation: Restrict network access to ICTBroadcast servers using firewalls and VPNs, limiting exposure to trusted IP addresses only.
4. Monitoring and Detection: Deploy intrusion detection systems (IDS) and regularly monitor logs for signs of exploitation attempts, such as unusual HTTP requests or unexpected shell command executions.
Given the critical nature of this vulnerability and the active exploitation observed, it is imperative for organizations to act promptly to secure their ICTBroadcast deployments. Failure to address this issue could result in significant security breaches, operational disruptions, and potential legal and reputational consequences.
