A newly disclosed critical vulnerability in ICTBroadcast, a widely-used autodialer and call center automation tool, is being actively exploited in the wild. The flaw, tracked as CVE-2025-2611 with a CVSS v4 base score of 9.3, enables unauthenticated remote code execution (RCE) via a specially crafted session cookie. Exploitation has already been observed in online environments, targeting exposed ICTBroadcast instances and leveraging the vulnerability to deploy reverse shells.
The exploitation of this bug highlights the persistent risk of insecure session handling and the broader challenge of improper input validation in server-side applications.
Attackers are Exploiting Session Cookies for Remote Code Execution
Vulnerability Originates From Unsafe Handling of Cookie Input
At the core of CVE-2025-2611 is a severe command injection flaw stemming from ICTBroadcast’s unsafe processing of the `BROADCAST` session cookie. Instead of sanitizing session data, the application passes cookie values directly to a shell environment. This allows attackers to embed system commands directly into the session cookie, resulting in arbitrary code running on the server without any authentication or user interaction required.
Researchers at VulnCheck, who detected exploitation attempts on October 11, confirmed the attacker’s technique involved a two-phase approach:
- First, sending a payload that contained a Base64-encoded `sleep 3` command to verify code execution on the server.
- Then, transitioning to payloads that attempted to set up reverse shells.
The attackers used payloads referencing localto[.]net and the IP address `143.47.53[.]106`. Both of these indicators were previously documented in connection with Java-based Ratty RAT campaigns targeting organizations in Spain, Italy, and Portugal—suggesting possible reuse of existing attacker infrastructure or shared tooling.
PoC Code and Metasploit Module Available
Security researchers, including Valentin Lobstein (known as Chocapikk), disclosed the flaw to ICT Innovations in March 2025. After the 120-day disclosure deadline passed without a public fix, Lobstein published Proof-of-Concept (PoC) code and authored a [Metasploit module](source ) exploiting the vulnerability. This public exploit significantly lowered the barrier to weaponization. As of early August, both the vulnerability and its exploit code were available and categorized as highly exploitable by multiple threat intelligence feeds.
According to CVE Details and SecurityVulnerability.io, the vulnerability received a critical CVSS rating with the following attributes:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Confidentiality Impact: High
- Integrity & Availability Impact: Low
These characteristics underscore the severity: unauthenticated attackers can exploit this from anywhere on the internet, provided the ICTBroadcast server is exposed.
Internet-Exposed ICTBroadcast Instances are High-Risk
According to VulnCheck’s telemetry, around 200 exposed ICTBroadcast servers are currently accessible online and susceptible to exploitation. Though ICTBroadcast is not designed to operate in public-facing environments, misconfigurations consistently place such applications at risk.
VulnCheck has added CVE-2025-2611 to its Known Exploited Vulnerability (KEV) catalog and released:
- Snort and Suricata detection signatures
- IP intelligence associated with known attacker infrastructure
- Recommended firewall and segmentation controls
Security teams operating ICTBroadcast should use these indicators to scan for attack attempts and monitor unusual network activity tied to shells being initialized.
Improper Input Validation and Insecure Defaults Are Core Concerns
The Broader Security Implication: Lack of Input Sanitization in Web Applications
The root cause of CVE-2025-2611 lies in input validation—or more accurately, its absence. According to Aqua Security and others, ICTBroadcast’s session handler fails to assert the structure or safety of cookie contents before processing them in a shell context. This vulnerability is categorized under CWE-20, “Improper Input Validation,” a foundational class of bugs responsible for many high-severity issues.
This security design failure proves particularly dangerous in session management, where user-supplied data often inherits implicit trust. In the case of ICTBroadcast, the server’s failure to enforce a verification boundary between session state and shell execution pathways opens a direct exploit vector.
Organizations using versions 7.4 of ICTBroadcast or earlier are urged to:
- Immediately isolate and inspect any internet-facing ICTBroadcast instances.
- Audit all session handling code and assess configuration-derived risks.
- Remove or disable unnecessary access to the `BROADCAST` cookie variable.
- Monitor for known IoCs (Indicators of Compromise), including references to localto[.]net and IP 143.47.53[.]106.
Until a patch or official vendor mitigation is released, affected administrators should apply WAF rules or reverse proxy filtering to detect and block malformed cookie headers.
Active Exploitation Reinforces the Need for Fast Patch Cycles
Developers and Asset Owners Must Prioritize Response
With public PoC and Metasploit modules available, the exploitation rate for CVE-2025-2611 is likely to rise. Given the vulnerability’s characteristics—unauthenticated RCE with minimal complexity—it fits the profile for automation in botnets, initial access campaigns, and potentially ransomware pipelines.
Valentin Lobstein disclosed the flaw responsibly in March 2025 and escalated publication only after the vendor failed to act within the agreed timeline. The public disclosures, including weaponized exploits, were published only after this 120-day grace period. This timeline highlights the importance of responsive vendor-side security engineering and trust in coordinated vulnerability disclosure frameworks.
Corporate defenders and MSSPs should likewise maintain close visibility into exploit development platforms such as GitHub and the Metasploit Framework to adapt defensive controls preemptively.
Conclusion: Address Critical Cookie Vulnerabilities Immediately
CVE-2025-2611 represents a high-severity risk to any organization operating ICTBroadcast versions 7.4 and earlier—especially if externally exposed. It combines insecure network exposure, lack of authentication, and improperly handled input data into an easily abused exploit vector.
Organizations should immediately:
- Remove ICTBroadcast from internet-facing environments.
- Implement detections via VulnCheck, Suricata, or equivalent tooling.
- Monitor for abnormal shell traffic and cookie manipulation attempts.
Long-term, this incident reinforces two perennial lessons in cyber defense: never treat session data as secure without validation, and never expose internal service software to the public internet.
