ICTBroadcast autodialer software exploited to gain remote shell access
Summary
Hide ▲
Show ▼
A critical security flaw in ICTBroadcast, an autodialer software from ICT Innovations, is being actively exploited in the wild. The vulnerability, CVE-2025-2611, allows unauthenticated remote code execution due to improper input validation of session cookie data. Attackers are using this flaw to gain remote shell access on vulnerable servers. The flaw affects ICTBroadcast versions 7.4 and below, with approximately 200 online instances exposed. The exploitation involves injecting shell commands into the BROADCAST cookie, which can then be executed on the vulnerable server. The attacks occur in two phases: a time-based exploit check followed by attempts to set up reverse shells. The attackers use a Base64-encoded command to confirm command execution and establish reverse shells.
Timeline
-
15.10.2025 09:16 1 articles · 23h ago
ICTBroadcast servers exploited to gain remote shell access
On October 11, 2025, exploitation of CVE-2025-2611 in ICTBroadcast was detected. The attacks involve injecting shell commands into the BROADCAST cookie to gain remote shell access. The exploitation occurs in two phases: a time-based exploit check followed by attempts to set up reverse shells. The attackers use a Base64-encoded command to confirm command execution and establish reverse shells. The use of a localto[.]net URL and the IP address 143.47.53[.]106 in the payloads suggests possible reuse or shared tooling with a previous campaign distributing the Ratty RAT.
Show sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
Information Snippets
-
The vulnerability, CVE-2025-2611, is due to improper input validation of session cookie data in ICTBroadcast.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
-
The flaw allows unauthenticated remote code execution on ICTBroadcast versions 7.4 and below.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
-
Approximately 200 online instances of ICTBroadcast are exposed to this vulnerability.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
-
The exploitation involves injecting shell commands into the BROADCAST cookie to gain remote shell access.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
-
The attacks occur in two phases: a time-based exploit check followed by attempts to set up reverse shells.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
-
The attackers use a Base64-encoded command to confirm command execution and establish reverse shells.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
-
The attackers used a localto[.]net URL and the IP address 143.47.53[.]106 in their payloads.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16
-
The localto[.]net link and the IP address were previously flagged by Fortinet in connection with a Java-based remote access trojan (RAT) named Ratty RAT.
First reported: 15.10.2025 09:161 source, 1 articleShow sources
- Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access — thehackernews.com — 15.10.2025 09:16