Fast Facts

• A major vulnerability, CVE-2025-2611, affects ICTBroadcast versions 7.4 and below.
• Attackers inject commands through a session cookie, gaining remote shell access.
• At least 200 servers are exposed online, with active exploitation detected since October 11.
• The same hacking infrastructure is linked to earlier campaigns using the Ratty RAT malware in Southern Europe.
• No official patch has been released as of this report.

The Cookie Crumbles: Anatomy of a Digital Heist

Imagine a call center humming with activity, its phones buzzing with automated messages. Now picture invisible hands slipping in through a digital side door, hijacking the very system meant to connect people. This isn’t fiction, but the reality facing hundreds of organizations running ICTBroadcast, a popular autodialer platform, after hackers discovered a gaping hole in its defenses.

The exploit, labeled CVE-2025-2611 and scoring a worrying 9.3 on the widely used CVSS risk scale, is alarmingly simple. ICTBroadcast’s software, designed to manage massive phone campaigns, carelessly hands off session cookie data - the digital equivalent of a backstage pass - directly to the server’s command line. For attackers, this is like being handed a blank check: by sneaking malicious instructions into a cookie called BROADCAST, they can make the server do their bidding, from running test commands to opening a “reverse shell” - a secret backchannel for full remote control.

Echoes of Past Attacks and a Wider Web

The breach didn’t happen in isolation. Cybersecurity firm VulnCheck spotted the first signs of trouble on October 11, tracking a two-step process: hackers first checked if their exploit worked by telling the server to “sleep” for a few seconds, then moved to set up persistent remote access. The infrastructure used - suspicious URLs and IP addresses - matches those from a previous malware campaign in Southern Europe, where the notorious Ratty RAT was used to spy on organizations in Spain, Italy, and Portugal.

This overlap hints at either recycled tools or a coordinated hacking group, a pattern increasingly common in the cyber underworld. As cloud call centers and remote work become the backbone of modern business, vulnerabilities like this one offer cybercriminals a shortcut to sensitive communications, customer data, and even larger networks.

The ICTBroadcast flaw isn’t the first time call center software has been targeted. In recent years, similar command injection bugs have plagued systems like Asterisk and FreePBX, often serving as stepping stones for ransomware attacks, data theft, or large-scale fraud. What sets CVE-2025-2611 apart is its simplicity and the lack of authentication needed - no passwords, no insider access required, just a carefully crafted cookie delivered at the right moment.

Waiting for a Patch, Watching the Clock

As of now, ICT Innovations, the company behind ICTBroadcast, has not released an official fix. With over 200 vulnerable instances already exposed and attackers actively exploiting the flaw, time is of the essence. For organizations relying on automated dialing, the message is stark: patch quickly, monitor for suspicious activity, and never underestimate the humble cookie.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Session Cookie: A session cookie is a temporary file in your browser that keeps you logged into a website; if stolen, it can let others access your account.
• Reverse Shell: A reverse shell is when a hacked computer secretly connects back to an attacker, giving them remote control and bypassing standard security defenses.
• Base64 Encoding: Base64 encoding converts data into a readable text string, making it easier to embed or transfer files and code within text-based systems.
• Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.