CVE-2025-2611

critical

Description

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.

References

https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html

https://www.vulncheck.com/blog/ictbroadcast-kev

https://github.com/rapid7/metasploit-framework/pull/20446

https://thehackernews.com/2025/10/hackers-target-ictbroadcast-servers-via.html

https://www.vulncheck.com/advisories/ictbroadcast-unauthenticated-session-cookie-rce

Details

Source: Mitre, NVD

Published: 2025-08-05

Updated: 2025-11-04

Risk Information

CVSS v2

Base Score: 9.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:C

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H

Severity: Critical

EPSS

EPSS: 0.37501