Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ICTBroadcast exposed-server exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

Approximately 200 exposed ICTBroadcast instances are facing active exploitation, with attackers using a two-phase sequence that first tests command execution and then tries to establish reverse shells. The activity was detected on October 11 and targets the BROADCAST cookie on vulnerable servers. Observed payloads included localto[.]net and 143.47.53[.]106, suggesting possible tooling or infrastructure reuse.

Related Happenings

APT28 FrostArmada DNS hijacking and AitM credential theft campaign

Campaign
First: 07.04.2026 18:51 Last: 07.04.2026 18:51 Sources 1

About this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...

Open Happening

Red Menshen telecom espionage campaign

Campaign
First: 26.03.2026 19:40 Last: 26.03.2026 19:40 Sources 1

About this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...

Open Happening

CyberStrikeAI observed on attacker infrastructure supporting FortiGate attack automation

Security Tool/Service
First: 03.03.2026 02:06 Last: 03.03.2026 02:06 Sources 1

About this happening: **CyberStrikeAI** was observed on **attacker infrastructure** supporting a live **Fortinet FortiGate** attack campaign, showing the platform can be repurposed for offensive automa...

Open Happening

Fortinet FortiGate CyberStrikeAI-assisted hacking campaign

Campaign
First: 03.03.2026 02:06 Last: 03.03.2026 02:06 Sources 1

About this happening: An **AI-assisted campaign** targeting **Fortinet FortiGate firewalls** has been tied to **CyberStrikeAI** infrastructure, suggesting automated tooling is helping scale attacks aga...

Open Happening

Ivanti EPMM exploitation wave (CVE-2026-1281)

Exploitation Wave
First: 12.02.2026 09:32 Last: 12.02.2026 09:32 Sources 1

About this happening: **Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing ma...

Open Happening

Timeline

  1. 15.10.2025 09:16 2 articles · 7mo ago

    ICTBroadcast exploitation observed

    Exploitation Observed

    Unknown threat actors targeted ICTBroadcast servers by injecting a Base64-encoded command that decoded to "sleep 3" into the BROADCAST cookie to confirm command execution, then attempted to establish reverse shells; VulnCheck also observed payloads using localto[.]net and connections to 143.47.53[.]106.

    Show sources
    Open in new tab
  2. 15.10.2025 09:16 1 articles · 7mo ago

    ICTBroadcast flaw disclosed as actively exploited

    Initial Disclosure

    Researchers disclosed active exploitation of CVE-2025-2611 in ICTBroadcast from ICT Innovations, a critical flaw in versions 7.4 and below that can produce unauthenticated remote code execution through unsafe session-cookie handling; approximately 200 online instances were exposed and no patch status was available.

    Show sources
    Open in new tab