CVE-2025-30004
Published: 31 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
Xorcom CompletePBX, a PBX system, is affected by CVE-2025-30004, a command injection vulnerability in its administrator Task Scheduler functionality. This flaw, classified under CWE-78, enables attackers to execute arbitrary commands as the root user. The issue impacts all versions of CompletePBX up to and including 5.2.35 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges, such as administrator access, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants root-level command execution on the system, resulting in high confidentiality, integrity, and availability impacts, potentially leading to full system compromise.
Advisories from VulnCheck detail the authenticated command injection mechanism, while Xorcom's release notes for CompletePBX version 5.2.36.1 indicate that this update addresses the vulnerability, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection in admin Task Scheduler allows authenticated low-priv user to run arbitrary commands as root, directly enabling privilege escalation (T1068) and Unix shell command execution (T1059.004).