CVE-2025-2611
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-05

Last updated on: 2025-11-04

Assigner: VulnCheck

Description
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-05
Last Modified
2025-11-04
Generated
2026-05-07
AI Q&A
2025-08-05
EPSS Evaluated
2026-05-05
NVD
CVE-2025-2611
EUVD
EUVD-2025-23629
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ictbroadcast ictbroadcast *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-2611 is a vulnerability in the ICTBroadcast application where the server unsafely evaluates session cookie data using backticks, allowing an attacker to inject and execute arbitrary shell commands remotely without authentication. This happens because the /login.php endpoint processes session cookies in a way that enables command injection through specially crafted cookie values. [1]


How can this vulnerability impact me? :

This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the server hosting ICTBroadcast, potentially gaining control over the system with the privileges of the ICTBroadcast process user (commonly 'asterisk'). This can lead to full remote compromise, data theft, service disruption, and further attacks such as local privilege escalation. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by using the publicly available Metasploit module for CVE-2025-2611. The module targets the /login.php endpoint of ICTBroadcast, sending specially crafted session cookies to check for command injection. It automates detection by verifying the ICTBroadcast instance, retrieving session cookies, confirming injection through response delays, and optionally delivering a payload. To detect manually, you could use curl or similar tools to send malicious cookies to /login.php and observe the response for signs of command execution or delays. Example command using curl: curl -v --cookie "SESSION=`id`" http://target-ip/login.php. However, using the Metasploit module is recommended for reliable detection. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the ICTBroadcast /login.php endpoint to trusted networks, implementing web application firewall (WAF) rules to block suspicious cookie values or command injection patterns, and monitoring for unusual activity or unexpected commands executed by the ICTBroadcast process user. Since no patch is confirmed available, disabling or isolating vulnerable versions (7.4 and below) until a fix is released is advised. Additionally, applying network segmentation and limiting ICTBroadcast server privileges can reduce impact. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart