Cyber Resilience

CVE-2025-30005

HighPublic PoC

Published: 31 March 2025

Published
31 March 2025
Modified
27 December 2025
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.7019 98.7th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30005 is a high-severity Path Traversal (CWE-22) vulnerability in Xorcom Completepbx. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Xorcom CompletePBX versions up to and including 5.2.35 contain a path traversal vulnerability (CWE-22) in the Diagnostics reporting module. The flaw permits an attacker to supply crafted paths that result in arbitrary file reads, after which the retrieved file is deleted in place of the expected report output.

An authenticated user with network access can exploit the issue without user interaction. Successful attacks yield high confidentiality and integrity impact by exposing sensitive files on the system and permanently removing them, while availability is only partially affected.

The vendor released CompletePBX 5.2.36-1 to address the vulnerability, as noted in the accompanying advisory from Xorcom and the detailed write-up published by VulnCheck. Organizations should apply the update promptly and restrict access to the Diagnostics module until patched.

The EPSS score has reached a peak of 0.7471 with a current value of 0.7019, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Xorcom CompletePBX is vulnerable to a path traversal via the Diagnostics reporting module, which will allow reading of arbitrary files and additionally delete any retrieved file in place of the expected report. This issue affects CompletePBX: all versions up to…

more

and prior to 5.2.35

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in public-facing PBX web diagnostics module directly enables remote file read (T1005) and deletion (T1070.004) by low-priv users, which is exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2292Same product: Xorcom Completepbx
CVE-2025-30004Same product: Xorcom Completepbx
CVE-2026-33686Shared CWE-22
CVE-2026-33493Shared CWE-22
CVE-2026-3464Shared CWE-22
CVE-2026-25069Shared CWE-22
CVE-2025-70084Shared CWE-22
CVE-2024-54291Shared CWE-22
CVE-2025-9801Shared CWE-22
CVE-2026-3666Shared CWE-22

Affected Assets

xorcom
completepbx
≤ 5.2.36.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploitation by validating and rejecting malicious file path inputs in the Diagnostics reporting module.

prevent

Mitigates the vulnerability by identifying and patching the path traversal flaw as recommended in the vendor upgrade to CompletePBX 5.2.36.

detect

Detects unauthorized file deletions resulting from exploitation through integrity monitoring of system files.

References