Cybersecurity researchers have disclosed that a critical security flaw impacting ICTBroadcast, an autodialer software from ICT Innovations, has come under active exploitation in the wild.
The vulnerability, assigned the CVE identifier CVE-2025-2611 (CVSS score: 9.3), relates to improper input validation that can result in unauthenticated remote code execution due to the fact that the call center application unsafely passes session cookie data to shell processing.
This, in turn, allows an attacker to inject shell commands into a session cookie that can get executed in the vulnerable server. The security flaw affects ICTBroadcast versions 7.4 and below.
“Attackers are leveraging the unauthenticated command injection in ICTBroadcast via the BROADCAST cookie to gain remote code execution,” VulnCheck’s Jacob Baines said in a Tuesday alert. “Approximately 200 online instances are exposed.”
The cybersecurity firm said that it detected in-the-wild exploitation on October 11, with the attacks occurring in two phases, starting with a time-based exploit check followed by attempts to set up reverse shells.
To that end, unknown threat actors have been observed injecting a Base64-encoded command that translates to “sleep 3” in the BROADCAST cookie in specially crafted HTTP requests to confirm command execution and then create reverse shells.
“The attacker used a localto[.]net URL in the mkfifo + nc payload, and also made connections to 143.47.53[.]106 in other payloads,” Baines noted.
It’s worth noting that both the use of a localto.net link and the IP address were previously flagged by Fortinet in connection with an email campaign distributing a Java-based remote access trojan (RAT) named Ratty RAT targeting organizations in Spain, Italy, and Portugal.
These indicator overlaps suggest possible reuse or shared tooling, VulnCheck pointed out. There is currently no information available on the patch status of the flaw. The Hacker News has reached out to ICT Innovations for further comment, and we will update the story if we hear back.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
