Plattform
other
Komponente
completepbx
Behoben in
5.2.36
CompletePBX, a VoIP platform, is vulnerable to a path traversal flaw within its Diagnostics reporting module. This vulnerability allows an attacker to read arbitrary files on the system and then delete them, potentially leading to data loss or system compromise. The vulnerability affects all versions of CompletePBX up to and including 5.2.35. A patch is available in version 5.2.36.
The path traversal vulnerability in CompletePBX poses a significant risk. An attacker could exploit this to gain unauthorized access to sensitive configuration files, database credentials, or other critical data stored on the system. The ability to delete files adds another layer of potential damage, allowing an attacker to disrupt services or even render the system unusable. Successful exploitation could lead to a complete compromise of the VoIP infrastructure, impacting communication services and potentially exposing sensitive customer data. This vulnerability is particularly concerning given the potential for remote exploitation and the wide range of data that could be accessed.
CVE-2025-30005 was publicly disclosed on 2025-03-31. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept exploits are currently known, but the nature of path traversal vulnerabilities makes it likely that one will emerge. The vulnerability's severity and ease of exploitation warrant close monitoring.
Organizations utilizing CompletePBX for VoIP services, particularly those running older versions (0–5.2.35), are at risk. Shared hosting environments where multiple CompletePBX instances reside on the same server are especially vulnerable, as a compromise of one instance could potentially lead to the compromise of others. Systems with publicly accessible CompletePBX instances are also at higher risk.
• linux / server:
journalctl -u completepbx | grep -i "path traversal"• generic web:
curl -I 'http://<completepbx_ip>/diagnostics/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
74.71% (99% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-30005 is to upgrade CompletePBX to version 5.2.36 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing temporary workarounds. Restrict access to the Diagnostics reporting module using firewall rules or access control lists, limiting access to trusted administrators only. Monitor system logs for suspicious activity, particularly attempts to access files outside of the expected reporting directory. While a WAF might offer some protection, it's unlikely to be effective against a path traversal vulnerability without specific rules tailored to the CompletePBX application. Verify the upgrade by attempting to access a non-existent file through the Diagnostics reporting module; it should return an error, not the file contents.
Actualice CompletePBX a la versión 5.2.36 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal y eliminación de archivos. La actualización se puede realizar a través del panel de administración de CompletePBX o descargando la última versión desde el sitio web oficial de Xorcom.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30005 is a vulnerability in CompletePBX allowing attackers to read and delete files via the Diagnostics reporting module.
If you are running CompletePBX versions 0–5.2.35, you are affected by this vulnerability.
Upgrade CompletePBX to version 5.2.36 or later to resolve the vulnerability. Consider temporary workarounds like firewall restrictions if immediate upgrade is not possible.
Active exploitation campaigns are not currently confirmed, but the vulnerability's severity warrants immediate attention.
Refer to the Xorcom security advisory page for the latest information and updates regarding CVE-2025-30005.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.