CVE-2025-30004
📋 TL;DR
Xorcom CompletePBX versions up to 5.2.35 contain an authenticated command injection vulnerability in the administrator Task Scheduler functionality. Attackers with administrative access can execute arbitrary commands as the root user, potentially compromising the entire system. This affects all deployments running vulnerable versions of CompletePBX.
💻 Affected Systems
- Xorcom CompletePBX
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level command execution, allowing attackers to install persistent backdoors, exfiltrate sensitive data, pivot to other systems, or disrupt telephony services.
Likely Case
Attackers with stolen or compromised admin credentials execute commands to establish persistence, steal call records and configuration data, or disrupt PBX functionality.
If Mitigated
Limited impact if strong access controls, network segmentation, and monitoring prevent unauthorized admin access and detect anomalous command execution.
🎯 Exploit Status
Exploitation requires administrative credentials; attackers need to craft malicious commands within the Task Scheduler interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CompletePBX 5.2.36.1
Vendor Advisory: https://www.xorcom.com/new-completepbx-release-5-2-36-1/
Restart Required: No
Instructions:
1. Backup your CompletePBX configuration. 2. Update to version 5.2.36.1 via the admin interface or vendor-provided update method. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to trusted IP addresses and users only.
Configure firewall rules to restrict access to the admin interface (e.g., iptables -A INPUT -p tcp --dport [admin_port] -s [trusted_ip] -j ACCEPT)
Disable Task Scheduler
allTemporarily disable the Task Scheduler functionality if not required.
Check vendor documentation for disabling specific modules or features
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the PBX from critical systems.
- Enforce strong authentication (MFA) for admin accounts and monitor for suspicious login attempts.
🔍 How to Verify
Check if Vulnerable:
Check the CompletePBX version via the admin interface or command line; versions ≤5.2.35 are vulnerable.Check Version:
ssh into the system and run: dpkg -l | grep completepbx or check the web admin dashboard.Verify Fix Applied:
After updating, confirm the version is 5.2.36.1 or higher in the admin interface.📡 Detection & Monitoring
Log Indicators:
- Unusual commands in scheduler logs, unexpected root-level process execution, or admin login from suspicious IPs.
Network Indicators:
- Outbound connections from the PBX to unknown external IPs, especially on non-standard ports.
SIEM Query:
source="completepbx_logs" AND (event="command_execution" OR user="root") AND command="*;*" OR command="*|*"