CVE-2025-30004 HIGH

CVE-2025-30004: Xorcom CompletePBX <= 5.2.35 Task Scheduler Authenticated Command Injection

Vendor Xorcom
Product CompletePBX
Weakness CWE-78
Published March 31, 2025
Last update December 27, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Xorcom CompletePBX is vulnerable to command injection in the administrator Task Scheduler functionality, allowing for attackers to execute arbitrary commands as the root user. This issue affects CompletePBX: all versions up to and prior to 5.2.35

Key dates

02Disclosure timeline

March 31, 2025 CVE published
December 27, 2025 Record updated