Cybersecurity researchers have identified active exploitation of a critical vulnerability in ICTBroadcast — an automatic call-campaigning program used by contact centres. Due to a flaw in input validation, attackers can obtain remote access to servers without authentication.
The vulnerability received the identifier CVE-2025-2611 and a 9.3 CVSS score, classifying it as critical. The issue is that the application dangerously forwards a session cookie BROADCAST to a shell wrapper, which opens the door for injection of malicious commands. The firm VulnCheck reported that the vulnerability is actively used by attackers. During the first stages of an attack they check for the ability to execute commands using Base64-commands “sleep 3”, and then create reverse shells to control the system.
Analysis showed that the intruders use the domain localto[.]net and the IP address 143.47.53[.]106, which were previously observed in campaigns distributing Ratty RAT — a Java trojan for remote control that attacked companies in Spain, Italy and Portugal.
There is currently no information about an available patch, and the number of exposed online instances of ICTBroadcast is estimated at around 200 active servers. Experts recommend immediately restricting public access to servers and implementing additional security monitoring.
ICTBroadcast is a product of ICT Innovations, intended to automate telephone campaigns and manage call flows in contact centres. Because of its active use in business, it has become an attractive target for attackers seeking remote control over communications systems.
Similar exploits using cookie-injection were used against corporate servers in 2024–2025, notably targeting telecommunications operators and financial institutions. This case confirms the trend of abusing legitimate services to deploy backdoors and RAT tools.
CVE-2025-2611 demonstrates how even seemingly minor mistakes in cookie handling can be dangerous. Attackers increasingly combine old injection techniques with modern RAT toolsets to maintain persistent access to corporate networks. Until ICT Innovations issues an update, users are advised to temporarily disable public access to the system and deploy EDR-monitoring.
