Critical severityNVD Advisory· Published Aug 5, 2025· Updated Apr 15, 2026

CVE-2025-2611

Description

The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.

Versions 7.4 and below are known to be vulnerable.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/rapid7/metasploit-framework/pull/20446nvd
www.vulncheck.com/advisories/ictbroadcast-unauthenticated-session-cookie-rcenvd
www.vulncheck.com/blog/ictbroadcast-kevnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.057
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000