Cybersecurity researchers reported that a critical flaw in ICTBroadcast, an autodialer application from ICT Innovations, is being actively exploited in the wild. The vulnerability is tracked as CVE-2025-2611 and carries a CVSS score of 9.3, according to the disclosure.
The defect stems from improper input validation that allows unauthenticated remote code execution because the call center application unsafely passes session cookie data to shell processing. That mechanism lets an attacker inject shell commands into a session cookie and have them executed on the vulnerable server, the report states. ICTBroadcast versions 7.4 and below are affected.
In a Tuesday alert, VulnCheck’s Jacob Baines said that attackers are leveraging the unauthenticated command injection via the ‘BROADCAST’ cookie to gain remote code execution, and that approximately 200 online instances are exposed. The firm said it detected exploitation in the wild on October 11.
VulnCheck said the attacks occurred in two phases, beginning with a time-based check and followed by attempts to establish reverse shells. Observed payloads included a Base64-encoded command that decodes to ‘sleep 3’ and mkfifo plus netcat sequences that referenced a localto[.]net URL and the IP 143.47.53[.]106. The firm noted that those indicators overlap with infrastructure previously flagged by Fortinet in an email campaign distributing a Java-based RAT, suggesting possible reuse or shared tooling.
There is currently no information available on the patch status.