Oct 15, 2025Ravie LakshmananVulnerability / Server Safety
Cybersecurity researchers have disclosed {that a} vital safety flaw impacting ICTBroadcast, an autodialer software program from ICT Improvements, has come beneath lively exploitation within the wild.
The vulnerability, assigned the CVE identifier CVE-2025-2611 (CVSS rating: 9.3), pertains to improper enter validation that can lead to unauthenticated distant code execution as a consequence of the truth that the decision middle software unsafely passes session cookie knowledge to shell processing.
This, in flip, permits an attacker to inject shell instructions right into a session cookie that may get executed within the weak server. The safety flaw impacts ICTBroadcast variations 7.4 and under.
“Attackers are leveraging the unauthenticated command injection in ICTBroadcast by way of the BROADCAST cookie to realize distant code execution,” VulnCheck’s Jacob Baines mentioned in a Tuesday alert. “Roughly 200 on-line situations are uncovered.”
The cybersecurity agency mentioned that it detected in-the-wild exploitation on October 11, with the assaults occurring in two phases, beginning with a time-based exploit examine adopted by makes an attempt to arrange reverse shells.
To that finish, unknown menace actors have been noticed injecting a Base64-encoded command that interprets to “sleep 3” within the BROADCAST cookie in specifically crafted HTTP requests to substantiate command execution after which create reverse shells.
“The attacker used a localto[.]web URL within the mkfifo + nc payload, and likewise made connections to 143.47.53[.]106 in different payloads,” Baines famous.
It is price noting that each the usage of a localto.web hyperlink and the IP handle had been beforehand flagged by Fortinet in reference to an electronic mail marketing campaign distributing a Java-based distant entry trojan (RAT) named Ratty RAT concentrating on organizations in Spain, Italy, and Portugal.
These indicator overlaps recommend doable reuse or shared tooling, VulnCheck identified. There may be presently no info obtainable on the patch standing of the flaw. The Hacker Information has reached out to ICT Improvements for additional remark, and we’ll replace the story if we hear again.
