The disclosed vulnerability CVE-2025-2611 in ICTBroadcast, an autodialer software widely used in call centers, stems from improper input validation of session cookie data. Specifically, the BROADCAST cookie is unsafely passed to shell processing functions, allowing attackers to inject arbitrary shell commands. This unauthenticated remote code execution (RCE) flaw enables threat actors to execute commands on the server hosting ICTBroadcast without needing valid credentials or user interaction. Exploitation involves sending specially crafted HTTP requests containing Base64-encoded commands within the BROADCAST cookie. Initial exploitation attempts use time-based command execution checks (e.g., "sleep 3") to confirm vulnerability, followed by payloads that establish reverse shells, granting persistent remote access. The attack infrastructure includes URLs and IP addresses previously linked to a Java-based remote access trojan (Ratty RAT) campaign targeting European countries such as Spain, Italy, and Portugal, indicating possible shared tooling or threat actor overlap. Approximately 200 publicly exposed ICTBroadcast instances running version 7.4 or earlier are vulnerable. The lack of an available patch heightens the urgency for organizations to implement mitigations and monitor for indicators of compromise. Given the critical CVSS score of 9.3 assigned to this vulnerability, the risk of widespread exploitation and potential data breaches or operational disruption is significant.

For European organizations, especially those operating call centers or telephony infrastructure using ICTBroadcast, this vulnerability presents a critical threat. Successful exploitation can lead to full server compromise, enabling attackers to execute arbitrary commands, deploy malware, exfiltrate sensitive data, or disrupt telephony services. The ability to gain remote shell access without authentication increases the attack surface and lowers the barrier for threat actors. The linkage of attack infrastructure to prior campaigns targeting Spain, Italy, and Portugal suggests these countries' organizations are at heightened risk. Disruption of call center operations can impact customer service, regulatory compliance, and business continuity. Additionally, compromised servers may serve as pivot points for lateral movement within networks, increasing the risk of broader organizational compromise. The absence of a patch and active exploitation in the wild further exacerbate the threat landscape for European entities reliant on ICTBroadcast.

1. Immediately identify and inventory all ICTBroadcast instances, focusing on versions 7.4 and below. 2. Restrict external access to ICTBroadcast servers by implementing network segmentation and firewall rules to limit exposure to trusted IPs only. 3. Monitor web server logs for suspicious HTTP requests containing unusual or Base64-encoded data in the BROADCAST cookie. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block command injection attempts targeting the BROADCAST cookie parameter. 5. Implement strict input validation and sanitization at the application or proxy level to prevent shell command injection via cookies. 6. Establish enhanced endpoint detection and response (EDR) monitoring on ICTBroadcast servers to detect reverse shell activity and anomalous process execution. 7. Engage with ICT Innovations for updates on patch availability and apply patches immediately upon release. 8. Consider temporary deactivation or replacement of ICTBroadcast with alternative solutions until a secure version is available. 9. Conduct threat hunting exercises focusing on indicators such as connections to known malicious IPs (e.g., 143.47.53.106) and domains (localto.net). 10. Educate IT and security teams on this vulnerability and response procedures to ensure rapid detection and containment.