CVE-2025-2292
published 2025-03-31CVE-2025-2292: Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue…
PriorityP346medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
1.50%
71.1th percentile
Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xorcom | completepbx | < 5.2.36.1 | 5.2.36.1 |
| xorcom | completepbx | <= 5.2.35 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the CompletePBX Backup and Restore functionality for a `backup` parameter value that begins with a comma (`,`) followed by a Base64-encoded string, which is the exploit trigger for path traversal arbitrary file read. ↗
- →The exploit runs as root on the target system — any successful exploitation allows reading arbitrary system files (e.g., /etc/passwd, SSH keys). Alert on authenticated backup download requests returning sensitive file content. ↗
- →Flag CompletePBX instances running version 5.2.35 or earlier as vulnerable; the backup download function lacks input validation on the `backup` parameter. ↗
- ·Exploitation requires prior authentication — this is an authenticated vulnerability, so detection should account for sessions that are already logged in before issuing the malicious backup download request. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-03-31
Published