CVE-2025-30005
Published: 31 March 2025
Description
Adversaries may delete files left behind by the actions of their intrusion activity.
Security Summary
Xorcom CompletePBX, a telephony platform, is affected by CVE-2025-30005, a path traversal vulnerability in its Diagnostics reporting module. This flaw enables attackers to read arbitrary files on the system and delete those retrieved files in place of the expected report. The issue impacts all versions of CompletePBX up to and including 5.2.35 and is rated with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), mapped to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-impact confidentiality by exposing sensitive files, high-impact integrity by deleting them, and low-impact availability disruption, all within the unchanged security scope.
Vendor advisories and release notes recommend mitigation by upgrading to CompletePBX version 5.2.36 or later, as detailed in Xorcom's announcement for the new release and the VulnCheck advisory on the path traversal and file deletion issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing PBX web diagnostics module directly enables remote file read (T1005) and deletion (T1070.004) by low-priv users, which is exploitation of a public-facing application (T1190).