CVE-2025-30004

HIGH
2025-03-31 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:34 vuln.today
CVE Published
Mar 31, 2025 - 17:15 nvd
HIGH 8.8

Tags

Command Injection Completepbx

Description

Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35

Analysis

Xorcom CompletePBX through version 5.2.35 contains an authenticated command injection vulnerability in the Task Scheduler functionality. Attackers with administrator access can inject arbitrary OS commands that execute as root, achieving complete system compromise of the VoIP PBX.

Technical Context

The Task Scheduler in CompletePBX's admin interface allows scheduling system tasks. The task definition parameters are passed to the system shell without proper sanitization, enabling command injection. Since the PBX daemon runs as root, injected commands execute with root privileges. Administrator authentication is required but default credentials are common on PBX systems.

Affected Products

['Xorcom CompletePBX <= 5.2.35']

Remediation

Update to CompletePBX beyond 5.2.35. Change all default credentials. Restrict admin interface access to management VLANs. Monitor scheduled tasks for unauthorized entries. Implement SIP trunk security controls to prevent toll fraud.

Priority Score

123
Low Medium High Critical
KEV: 0
EPSS: +78.6
CVSS: +44
POC: 0

Share

CVE-2025-30004 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy