This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OS Command Injection in Xorcom CompletePBX. <br>π₯ **Consequences**: Attackers can execute arbitrary commands with **root privileges**, leading to total system compromise.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-78** (OS Command Injection). <br>π **Flaw**: The **admin task scheduler** fails to sanitize inputs, allowing malicious commands to be injected into the OS.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **Xorcom CompletePBX**. <br>π **Versions**: **5.2.35 and earlier**. <br>π’ **Vendor**: Xorcom (Israel-based Asterisk IP phone system).
Q4What can hackers do? (Privileges/Data)
π **Hackers Can**: Execute **arbitrary OS commands**. <br>π **Privileges**: Runs as **root**. <br>π **Impact**: Full control over the PBX server, data theft, or lateral movement.
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: **Medium**. <br>π **Auth Required**: Yes, **Privileged Access** (Admin) is needed. <br>π **Network**: Exploitable over **Network (AV:N)**.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π« **Public Exploit**: **No**. <br>π **PoC**: None listed in the data. <br>β οΈ **Status**: Theoretical risk until PoC is released, but severity is Critical.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for **Xorcom CompletePBX** versions **β€ 5.2.35**. <br>π **Focus**: Check the **Admin Task Scheduler** interface for unsanitized input fields.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: **Yes**. <br>π§ **Patch**: Upgrade to version **5.2.36.1** or later. <br>π’ **Source**: Official Vendor Advisory available.
Q9What if no patch? (Workaround)
π‘οΈ **No Patch Workaround**: <br>1. **Restrict Access**: Limit admin interface to trusted IPs only. <br>2. **Disable**: If possible, disable the task scheduler feature. <br>3.β¦
π₯ **Urgency**: **HIGH**. <br>βοΈ **CVSS**: **9.8 (Critical)**. <br>π **Action**: Patch immediately. Even without public exploits, the root-level impact makes this a top priority.