CVE-2025-30006 – Xorcom CompletePBX administrative control panel... (How to Fix)

Q: What is the severity of CVE-2025-30006?

CVE-2025-30006 has a CVSS score of 6.1 (MEDIUM). Xorcom CompletePBX administrative control panel contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts via crafted URLs. This affects all administrators who access the vulnerable control panel interface. The vulnerability exists in all versions up to and including 5.2.35.

📋 TL;DR

Xorcom CompletePBX administrative control panel contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts via crafted URLs. This affects all administrators who access the vulnerable control panel interface. The vulnerability exists in all versions up to and including 5.2.35.

💻 Affected Systems

Products:

Xorcom CompletePBX

Versions: All versions up to and including 5.2.35

Operating Systems: Linux-based PBX systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the administrative web interface; regular PBX functionality remains unaffected.

📦 What is this software?

Completepbx by Xorcom

View all CVEs affecting Completepbx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full system takeover, data exfiltration, or deployment of backdoors.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized administrative actions performed by tricking administrators into clicking malicious links.

🟢

If Mitigated

Limited impact if administrators use separate browser profiles, have clickjacking protection, or avoid clicking untrusted links.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated administrators into clicking malicious URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.36.1

Vendor Advisory: https://www.xorcom.com/new-completepbx-release-5-2-36-1/

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download CompletePBX 5.2.36.1 from Xorcom. 3. Follow vendor upgrade instructions. 4. Restart the PBX system. 5. Verify the administrative interface functions correctly.

🔧 Temporary Workarounds

Input Validation via Web Application Firewall

all

Deploy a WAF with XSS protection rules to filter malicious input before it reaches the application.

Content Security Policy Headers

linux

Implement CSP headers to restrict script execution sources and mitigate XSS impact.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

🧯 If You Can't Patch

Restrict administrative access to trusted IP addresses only using firewall rules.
Educate administrators to never click untrusted links while logged into the control panel.

🔍 How to Verify

Check if Vulnerable:

Check if CompletePBX version is 5.2.35 or earlier via the administrative interface or system logs.

Check Version:

ssh admin@pbx-host 'cat /etc/completepbx/version' or check web interface footer

Verify Fix Applied:

Confirm the system reports version 5.2.36.1 or later in the administrative interface.

📡 Detection & Monitoring

Log Indicators:

Unusual long URLs with script tags in web access logs
Multiple failed login attempts followed by suspicious redirects

Network Indicators:

HTTP requests containing script tags or JavaScript code in query parameters
Unusual outbound connections from PBX administrative interface

SIEM Query:

source="web_access.log" AND (url="*<script*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-30006

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.17% exploit probability (37.9th percentile)

Published: March 31, 2025

Last Updated: September 24, 2025

🔗 References

https://vulncheck.com/advisories/completepbx-reflected-xss Third Party Advisory
https://www.xorcom.com/new-completepbx-release-5-2-36-1/ Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30006, you might also want to check these: