← back
CVE-2025-2611

ICTBroadcast <= 7.4 Unauthenticated Session Cookie RCE

CVSS 9.3 CRITICALEPSS 6.1%CWE-78
Vexday Risk Score
63High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 6.1%KEV nãoPoC públicaNuclei simMetasploit simPatch
Lifecycle
19 Mar 2025Metasploit module available
05 Aug 2025Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →