cbcvebase.
CVE-2025-2292
published 2025-03-31

CVE-2025-2292: Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue…

PriorityP346medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
1.50%
71.1th percentile
Xorcom CompletePBX is vulnerable to an authenticated path traversal, allowing for arbitrary file reads via the Backup and Restore functionality.This issue affects CompletePBX: through 5.2.35.

Affected

2 ranges
VendorProductVersion rangeFixed in
xorcomcompletepbx< 5.2.36.15.2.36.1
xorcomcompletepbx<= 5.2.35

Detection & IOCsextracted from sources · hover to see the quote

otherbackup=,<Base64-encoded absolute file path>
  • Monitor HTTP requests to the CompletePBX Backup and Restore functionality for a `backup` parameter value that begins with a comma (`,`) followed by a Base64-encoded string, which is the exploit trigger for path traversal arbitrary file read.
  • The exploit runs as root on the target system — any successful exploitation allows reading arbitrary system files (e.g., /etc/passwd, SSH keys). Alert on authenticated backup download requests returning sensitive file content.
  • Flag CompletePBX instances running version 5.2.35 or earlier as vulnerable; the backup download function lacks input validation on the `backup` parameter.
  • ·Exploitation requires prior authentication — this is an authenticated vulnerability, so detection should account for sessions that are already logged in before issuing the malicious backup download request.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.