Cybersecurity researchers have disclosed that a critical security flaw impacting ICTBroadcast, an autodialer software from ICT Innovations, has come under active exploitation in the wild.
The vulnerability, assigned the CVE identifier CVE-2025-2611 (CVSS score: 9.3), relates to improper input validation that can result in unauthenticated remote code execution due to the fact that the call center application unsafely passes session cookie data to shell processing.
This, in turn, allows an attacker to inject shell commands into a session cookie that can get executed in the vulnerable server. The security flaw affects ICTBroadcast versions 7.4 and below.
"Attackers are leveraging the unauthenticated command injection in ICTBroadcast via the BROADCAST cookie to gain remote code execution," VulnCheck's Jacob Baines said in a Tuesday alert. "Approximately 200 online instances are exposed."
The cybersecurity firm said that it detected in-the-wild exploitation on October 11, with the attacks occurring in two phases, starting with a time-based exploit check followed by attempts to set up reverse shells.
To that end, unknown threat actors have been observed injecting a Base64-encoded command that translates to "sleep 3" in the BROADCAST cookie in specially crafted HTTP requests to confirm command execution and then create reverse shells.
"The attacker used a localto[.]net URL in the mkfifo + nc payload, and also made connections to 143.47.53[.]106 in other payloads," Baines noted.
It's worth noting that both the use of a localto.net link and the IP address were previously flagged by Fortinet in connection with an email campaign distributing a Java-based remote access trojan (RAT) named Ratty RAT targeting organizations in Spain, Italy, and Portugal.
These indicator overlaps suggest possible reuse or shared tooling, VulnCheck pointed out. In a statement shared with The Hacker News, ICT Innovations said it has implemented additional security measures in the session management module of ICTBroadcast to address the issue.
ICTBroadcast enterprise version 7.2.12 has "integrated validation checks before session read, write, and destroy operations to block unauthorized or malformed session identifiers," Tahir Almas, CEO of ICT Innovations, said. "These changes prevent session fixation and injection attacks by ensuring only valid session IDs are processed, enhancing overall session integrity."
VulnCheck, in response to the latest development, said it cannot confirm the availability of 7.2.12 or that the issue has been resolved based on information in the available repository. The cybersecurity company said it "continues to see exploitation activity as well."
(The story was updated on November 6, 2025, with information about fixes for the flaw.)
