CVE-2025-30005 — AI Deep Analysis Summary

🚨 **Essence**: A Path Traversal flaw in the diagnostic report module. 📉 **Consequences**: Attackers can read arbitrary files on the server and delete expected reports. Critical integrity and confidentiality loss.

🛡️ **Root Cause**: **CWE-22** (Improper Limitation of a Pathname to a Restricted Directory). The system fails to sanitize user input in the diagnostic module, allowing directory traversal sequences.

🏢 **Affected Vendor**: Xorcom. 📦 **Product**: CompletePBX (Enterprise IP Phone System based on Asterisk). 📅 **Versions**: 5.2.35 and earlier.

💀 **Attacker Actions**: 📂 **Read**: Access sensitive system files (config, logs, keys). 🗑️ **Delete**: Remove specific diagnostic reports. This leads to **High** Confidentiality and Integrity impact.

🔑 **Threshold**: **Medium**. Requires **Local Privileges** (PR:L). It is not remote unauthenticated.…

🕵️ **Public Exploit**: **No**. The `pocs` field is empty. No public Proof-of-Concept or wild exploitation code is currently available in the provided data.

🔍 **Self-Check**: Scan for **Xorcom CompletePBX** instances. Check version numbers against **5.2.35**. Look for diagnostic report endpoints that might accept path traversal characters (e.g., `../`) in HTTP requests.

✅ **Fix Status**: **Yes**. Vendor advisory released. Upgrade to **version 5.2.36.1** or later to patch the path traversal vulnerability in the diagnostic module.

🚧 **No Patch Workaround**: Restrict network access to the diagnostic module. Ensure only authorized local users can access the PBX interface. Monitor file system integrity for unexpected deletions.

⚡ **Urgency**: **High Priority**. CVSS Score indicates **High** impact on Confidentiality and Integrity.…