At ICT Innovations, we take the security and stability of ICTBroadcast extremely seriously. Recently, critical vulnerability reports surfaced on The Hacker News and other reputable security outlets, highlighting an issue that could allow attackers to execute malicious commands on exposed ICTBroadcast systems. We want to update our community that these concerns have been thoroughly analyzed, resolved, and appropriate fixes are in place for affected customers.
The Reported Security Vulnerability:
In late 2025, a critical security flaw was publicly disclosed affecting ICTBroadcast versions 7.4 and earlier. This issue was tracked as CVE-2025-2611 and described in detail by The Hacker News and multiple cybersecurity research feeds.
What the Vulnerability Was
- The flaw allowed unauthenticated remote code execution (RCE).
- It stemmed from improper handling of session cookies — the application would process the BROADCAST cookie in a way that enabled attackers to inject commands into the system shell.
- Due to the nature of the bug, attackers could gain remote shell access without credentials.
This issue was reported on platforms like Hacker News, where cybersecurity analysts emphasized the critical severity and active exploitation risk.
Original Issue & Research Links:
Here are key references for additional context regarding this vulnerability:
- https://thehackernews.com/2025/10/hackers-target-ictbroadcast-servers-via.html
- https://www.scworld.com/brief/exploitation-of-sneeit-wordpress-rce-ictbroadcast-flaw-ongoing
- https://www.instagram.com/p/DTLrPMMj2uI/
How ICT Innovations Responded:
Immediately upon confirmation of the issue, the ICT Innovations engineering and security response teams:
- Analyzed the vulnerability in detail using multiple threat intelligence sources, including public advisories and proof-of-concept exploit modules.
- Reviewed session handling and cookie parsing code to identify unsafe operations that could lead to command injection.
- Implemented and released updates to ensure input validation of session identifiers and secure processing of cookie data.
- Strengthened internal session management modules to ensure cookie values are validated and sanitized before use.
- Coordinated with cybersecurity researchers to confirm mitigation and closure of the exploit vector.
A sample security patch involved adding robust session ID validation logic to prevent malformed or malicious session identifiers from ever reaching a shell execution context.
Technical Fix: Session Management Hardening (CVE-2025-2611)
Following the responsible disclosure of the unauthenticated command injection vulnerability (CVE-2025-2611), the ICT Innovations team implemented additional security measures in the ICTBroadcast session management module to fully address the identified risk.
Session ID Validation Implementation
A strict session ID validation function was added in the Session.php file to ensure that only safe and well-formed session identifiers are processed:
private function valid_sid(string $id): bool {
// allow letters, numbers, dash, underscore, comma; max length 128
return (bool) preg_match(‘/^[A-Za-z0-9,_-]{1,128}$/’, $id);
}
This validation ensures that:
- Only alphanumeric characters and limited safe symbols (
-,_,,) are accepted - Session ID length is restricted to 128 characters
- Malformed or malicious session identifiers are rejected
Enforcement Across Session Operations
The validation checks have been integrated before all session lifecycle operations, including:
- Session read
- Session write
- Session destroy
Any unauthorized or malformed session identifier is immediately blocked, preventing session fixation, injection, or command execution attempts.
Purpose of the Fix
These changes:
- Prevent session fixation and session injection attacks
- Ensure strict validation of all session identifiers before use
- Improve overall session integrity
- Reduce ICTBroadcast’s attack surface
Patch & Solution Implementation
What Customers Should Do
✔️ Apply the latest ICTBroadcast update if you are on a version earlier than the secure release.
✔️ Verify that your installation is not publicly accessible unless protected behind firewalls or VPN.
✔️ Rotate session keys and authentication secrets if your system was exposed prior to patching.
✔️ Monitor access logs and session operations for any unusual behavior or unauthorized access attempts.
Important Update:
The reported security issue (CVE-2025-2611) has been fully resolved in the latest ICTBroadcast Enterprise release (version 7.2.12). Customers are strongly advised to upgrade to the latest version, as it includes all relevant security fixes and session management hardening.
Download & Installation:
The latest secure version of ICTBroadcast can be downloaded and installed from the official website:
https://www.ictbroadcast.com/download/
Upgrading to the latest release ensures that all known security vulnerabilities related to this issue have been addressed and that your system benefits from the most recent security enhancements.
Conclusion:
At ICT Innovations, we continuously monitor vulnerability disclosures from trusted security researchers and platforms such as The Hacker News and VulnCheck. When issues are identified, we respond with urgency, transparency, and effective remediation.
The resolution of CVE-2025-2611 reinforces our commitment to delivering a secure, enterprise-grade communication platform and maintaining customer trust through proactive security practices.