Platform
other
Component
completepbx
Fixed in
5.2.36
CompletePBX, a VoIP platform, is vulnerable to a path traversal flaw within its Diagnostics reporting module. This vulnerability allows an attacker to read arbitrary files on the system and subsequently delete them, potentially leading to data loss or system disruption. The vulnerability affects all versions of CompletePBX up to and including 5.2.35. A patch is available in version 5.2.36.
The path traversal vulnerability in CompletePBX allows an attacker to bypass intended access controls and read any file accessible to the web server process. This includes sensitive configuration files, database credentials, and potentially even system files. The ability to delete files exacerbates the impact, allowing an attacker to disrupt services or even render the system unusable. A successful exploitation could lead to complete system compromise, data exfiltration, and denial of service. While no direct precedent is immediately apparent, path traversal vulnerabilities are frequently exploited to gain unauthorized access and control over systems.
CVE-2025-30005 was publicly disclosed on 2025-03-31. The vulnerability's severity is assessed as HIGH (CVSS: 8.3). There are currently no known public proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of this writing. Active exploitation campaigns are not currently confirmed.
Exploit Status
EPSS
74.71% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30005 is to upgrade CompletePBX to version 5.2.36 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing temporary workarounds such as restricting access to the Diagnostics reporting module via a firewall or web application proxy. Configure your WAF to block requests containing suspicious path traversal patterns (e.g., '../'). Regularly monitor system logs for unusual file access or deletion activity. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the Diagnostics reporting module; the request should be denied.
Actualice CompletePBX a la versión 5.2.36 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal y eliminación de archivos. La actualización se puede realizar a través del panel de administración de CompletePBX o descargando la última versión desde el sitio web oficial de Xorcom.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30005 is a vulnerability in CompletePBX allowing attackers to read and delete files via the Diagnostics reporting module.
If you are running CompletePBX versions 0–5.2.35, you are affected by this vulnerability.
Upgrade CompletePBX to version 5.2.36 or later to resolve the vulnerability. Consider temporary workarounds like firewall restrictions if immediate upgrade is not possible.
Active exploitation campaigns are not currently confirmed, but the vulnerability's severity warrants immediate attention.
Refer to the Xorcom security advisory page for the latest information and updates regarding CVE-2025-30005.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.