Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access

Steven

Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access

Summary

Cybersecurity researchers have confirmed active exploitation of a critical command injection bug in ICTBroadcast (CVE-2025-2611, CVSS 9.3). The flaw stems from unsafe handling of session cookie data — the application passes the BROADCAST cookie into shell processing without proper validation, allowing unauthenticated attackers to inject and execute shell commands on vulnerable servers.

The issue affects ICTBroadcast versions 7.4 and earlier. VulnCheck observed exploitation beginning 11 October, with attackers using a two-stage approach: an initial time-based probe (a Base64-encoded “sleep 3” payload) to confirm execution, followed by attempts to establish reverse shells. Around 200 internet-facing instances were identified as exposed. Indicators in payloads (a localto[.]net domain and IP 143.47.53[.]106) overlap with previous campaigns distributing Ratty RAT, suggesting tool reuse or shared infrastructure. There is no public information on a patch; reporters have contacted ICT Innovations for comment.

Key Points

  • CVE-2025-2611 is an unauthenticated command-injection vulnerability in ICTBroadcast (affects v7.4 and below) with a CVSS score of 9.3.
  • The BROADCAST session cookie is improperly passed to shell processing, enabling attackers to run arbitrary commands via crafted cookie values.
  • Active exploitation was observed from 11 October; attackers used a time-based Base64-encoded payload (decodes to “sleep 3”) to confirm execution before deploying reverse shells.
  • VulnCheck found roughly 200 exposed instances online; exploitation appears to follow a two-phase probe-then-shell pattern.
  • Payload indicators (localto[.]net and IP 143.47.53[.]106) overlap with earlier Ratty RAT campaigns, hinting at reused tooling or infrastructure.
  • No public patch status at time of reporting; ICT Innovations has been contacted for comment.

Context and relevance

This vulnerability is high risk: unauthenticated remote code execution in call-centre/autodialler software gives attackers direct server access and a quick route to lateral movement or data theft. The combination of a high CVSS score, active in-the-wild exploitation, and a measurable number of exposed instances makes this a priority for organisations running ICTBroadcast or similar services. It also highlights a broader trend: legacy or niche operational systems often lack hardened input validation and get targeted quickly by opportunistic actors.

Why should I read this?

Short version: if you run ICTBroadcast (or manage infrastructure that might), this is one you can’t ignore. The bug lets anyone on the internet drop a shell via a cookie — nasty, fast, and already happening. We’ve boiled down the technical bits and indicators so you can check, mitigate or block quickly without slogging through the full report.

Source

Source: https://thehackernews.com/2025/10/hackers-target-ictbroadcast-servers-via.html