ICTBroadcast - RCE (CVE-2025-2611)
0Exploiting IPs reported
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.
CrowdSec analysis
CVE-2025-2611 is a critical vulnerability in ICTBroadcast. This flaw allows unauthenticated attackers with network access via HTTP to easily compromise the affected system, potentially resulting in a complete takeover. Exploitation could lead to severe impacts on confidentiality, integrity, and availability, making it a prime target for remote attacks.
CrowdSec has been tracking this vulnerability and its exploits since 22nd of October 2025.
Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2025-2611 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-2611 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-2611 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.
Attackers exploit ICTBroadcast by sending crafted requests with a broadcast cookie containing malicious payloads to enable shell injection commands.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.