CVE-2025-30004

HIGH

Xorcom CompletePBX <5.2.35 - Command Injection

Title source: llm

Description

Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35

Exploits (1)

metasploit WORKING POC EXCELLENT

by Valentin Lobstein · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/xorcom_completepbx_scheduler.rb

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://vulncheck.com/advisories/completepbx-authenticated-command-injection

[Release Notes] https://www.xorcom.com/new-completepbx-release-5-2-36-1/

Scores

CVSS v3 8.8

EPSS 0.7859

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

xorcom/completepbx < 5.2.36.1

Published Mar 31, 2025

Tracked Since Feb 18, 2026