CVE-2025-2611

🗓️ 05 Aug 2025 15:00:32Reported by VulnCheckType

cve🔗 web.nvd.nist.gov📰️ 7 Media mentions👁 73 Views🌐 WEB

ICTBroadcast allows unauthenticated remote code execution via insecure session cookie handling in version 7.4 and below.

Reporter	Title	Published	Views	Family All 17
Circl	CVE-2025-2611	5 Aug 202507:39	–	circl
CNNVD	ICT Innovations ICTBroadcast 安全漏洞	5 Aug 202500:00	–	cnnvd
Cvelist	CVE-2025-2611 ICTBroadcast <= 7.4 Unauthenticated Session Cookie RCE	5 Aug 202515:00	–	cvelist
EUVD	EUVD-2025-23629	5 Aug 202515:00	–	euvd
Metasploit	ICTBroadcast Unauthenticated Remote Code Execution	5 Aug 202518:56	–	metasploit
Nuclei	ICTBroadcast - Command Injection	7 Jun 202603:02	–	nuclei
NVD	CVE-2025-2611	5 Aug 202515:15	–	nvd
Packet Storm	📄 ICTBroadcast Unauthenticated Remote Code Execution	5 Aug 202500:00	–	packetstorm
Packet Storm	📄 ICTBroadcast 7.0 Remote Code Execution	17 Dec 202500:00	–	packetstorm
Positive Technologies	PT-2025-31937	19 Mar 202500:00	–	ptsecurity

Vulners

Node

ict_innovations ictbroadcastRange0–7.4linux

[
  {
    "defaultStatus": "unknown",
    "platforms": [
      "Linux"
    ],
    "product": "ICTBroadcast",
    "vendor": "ICT Innovations",
    "versions": [
      {
        "lessThanOrEqual": "7.4",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
vulncheck	www.vulncheck.com/blog/ictbroadcast-kev
vulncheck	www.vulncheck.com/advisories/ictbroadcast-unauthenticated-session-cookie-rce
github	www.github.com/rapid7/metasploit-framework/pull/20446

Parameter	Position	Path	Description	CWE
Cookie	header	/login.php	Unauthenticated remote command execution via tampered session cookies (CWE-78)	CWE-78

15 Apr 2026 00:35Current

7.7High risk

Vulners AI Score7.7

CVSS 49.3

EPSS0.756

SSVC