Cybersecurity researchers have issued an urgent warning after discovering that a critical security flaw in ICTBroadcast, an autodialer software, is being actively exploited in the wild. The vulnerability, identified as CVE-2025-2611 (CVSS score: 9.3), allows for unauthenticated remote code execution (RCE).
The Attack Mechanism
The root cause of the flaw is improper input validation within the call center application, which unsafely passes session cookie data to shell processing. This allows an attacker to inject shell commands into a session cookie, specifically the BROADCAST cookie, which are then executed on the vulnerable server. The security flaw impacts ICTBroadcast versions 7.4 and below.
Security firm VulnCheck reported detecting in-the-wild exploitation on October 11th, with attacks unfolding in two phases. Attackers first perform a time-based exploit check, injecting a Base64-encoded command that translates to a "sleep 3" instruction to confirm command execution. Once confirmed, they attempt to set up reverse shells to maintain persistent access.
The observed payloads made connections to a specific IP address and used a localto.net URL. These indicators have been previously linked to a separate email campaign distributing the Ratty RAT malware, suggesting possible reuse of tools or shared infrastructure among threat actors. VulnCheck estimates that approximately 200 online instances of the vulnerable software are currently exposed. At the time of this report, there is no information available regarding a patch for the flaw.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
