CVE-2025-30005

HighPublic PoC

Published: 31 March 2025

Published

31 March 2025

Modified

27 December 2025

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.7019 98.7th percentile

Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30005 is a high-severity Path Traversal (CWE-22) vulnerability in Xorcom Completepbx. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal exploitation by validating and rejecting malicious file path inputs in the Diagnostics reporting module.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by identifying and patching the path traversal flaw as recommended in the vendor upgrade to CompletePBX 5.2.36.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Detects unauthorized file deletions resulting from exploitation through integrity monitoring of system files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing PBX web diagnostics module directly enables remote file read (T1005) and deletion (T1070.004) by low-priv users, which is exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Xorcom CompletePBX is vulnerable to a path traversal via the Diagnostics reporting module, which will allow reading of arbitrary files and additionally delete any retrieved file in place of the expected report. This issue affects CompletePBX: all versions up to…

and prior to 5.2.35

Deeper analysisAI

Xorcom CompletePBX, a telephony platform, is affected by CVE-2025-30005, a path traversal vulnerability in its Diagnostics reporting module. This flaw enables attackers to read arbitrary files on the system and delete those retrieved files in place of the expected report. The issue impacts all versions of CompletePBX up to and including 5.2.35 and is rated with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), mapped to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-impact confidentiality by exposing sensitive files, high-impact integrity by deleting them, and low-impact availability disruption, all within the unchanged security scope.

Vendor advisories and release notes recommend mitigation by upgrading to CompletePBX version 5.2.36 or later, as detailed in Xorcom's announcement for the new release and the VulnCheck advisory on the path traversal and file deletion issue.