CVE-2025-2292
MEDIUMXorcom Completepbx < 5.2.36.1 - Path Traversal
Title source: ruleDescription
Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35.
Exploits (1)
metasploit
WORKING POC
by Valentin Lobstein · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/xorcom_completepbx_file_disclosure.rb
Scores
CVSS v3
6.5
EPSS
0.6879
EPSS Percentile
98.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (1)
xorcom/completepbx
< 5.2.36.1
Published
Mar 31, 2025
Tracked Since
Feb 18, 2026