CVE-2025-2611 🛡️
🔗 ICTBroadcast <= 7.4 is vulnerable to an unauthenticated remote code execution. The /login.php page issues a session cookie, and certain cookie keys are evaluated using shell backticks in server-side code. This allows attackers to inject arbitrary system commands into the cookie, resulting in code execution during session handling, without authentication.