Cyber Resilience

CVE-2025-2292

MediumPublic PoC

Published: 31 March 2025

Published
31 March 2025
Modified
27 December 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5280 98.0th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2292 is a medium-severity Path Traversal (CWE-22) vulnerability in Xorcom Completepbx. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-2292 is an authenticated path traversal vulnerability (CWE-22) in Xorcom CompletePBX, affecting versions through 5.2.35. The flaw exists in the Backup and Restore functionality, enabling arbitrary file reads. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact.

An attacker with low-privilege authenticated access can exploit this over the network with low attack complexity and no user interaction. Exploitation allows reading arbitrary files on the affected system, potentially disclosing sensitive data such as configuration files or credentials.

Vendor advisories recommend upgrading to CompletePBX version 5.2.36-1, which addresses the issue, as detailed in Xorcom's release notes. Further technical analysis is provided in the VulnCheck advisory on CompletePBX file disclosure.

EU & UK References

Vulnerability details

Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Authenticated path traversal enables arbitrary file reads on the local system, directly facilitating collection of sensitive data from files (T1005) including credentials (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30005Same product: Xorcom Completepbx
CVE-2025-30004Same product: Xorcom Completepbx
CVE-2026-33166Shared CWE-22
CVE-2026-23491Shared CWE-22
CVE-2026-35668Shared CWE-22
CVE-2026-0651Shared CWE-22
CVE-2026-26985Shared CWE-22
CVE-2026-24849Shared CWE-22
CVE-2026-4659Shared CWE-22
CVE-2025-1035Shared CWE-22

Affected Assets

xorcom
completepbx
≤ 5.2.36.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring timely application of the vendor-recommended upgrade to CompletePBX version 5.2.36-1.

prevent

Enforces input validation on file paths in the Backup and Restore functionality to block path traversal attempts (CWE-22).

detect

Monitors for unauthorized file disclosures through the vulnerable Backup and Restore feature, enabling detection of exploitation.

References