CVE-2025-2292 is a path traversal vulnerability classified under CWE-22 affecting Xorcom CompletePBX, a telephony PBX system widely used for VoIP communications. The flaw exists in the Backup and Restore functionality, which improperly restricts pathname inputs, allowing an authenticated attacker to traverse directories outside the intended backup scope. By manipulating file paths, the attacker can read arbitrary files on the underlying operating system, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability requires the attacker to have valid user credentials (low privilege), but no further user interaction is needed. The CVSS 3.1 score of 6.5 reflects the network attack vector, low attack complexity, and high confidentiality impact, with no effect on integrity or availability. No public exploits or patches are currently available, indicating a window of exposure. The vulnerability affects CompletePBX versions through 5.2.35, and the issue was publicly disclosed on March 31, 2025. Given the nature of PBX systems as critical communication infrastructure, unauthorized file disclosure could lead to further compromise or data leakage.

For European organizations, this vulnerability poses a significant risk to confidentiality of sensitive telephony system data, including configuration files, user credentials, and call records. Exposure of such data could facilitate further attacks such as privilege escalation, eavesdropping, or disruption of communications. Organizations in sectors relying heavily on secure communications—such as finance, government, healthcare, and critical infrastructure—may face operational and reputational damage if exploited. Since the vulnerability requires authentication, insider threats or compromised user accounts increase risk. The lack of patches and known exploits means organizations must act proactively. The impact is heightened in environments where CompletePBX is integrated with other critical systems or where regulatory compliance mandates strict data protection.

Immediate mitigation should focus on restricting access to the Backup and Restore functionality to only highly trusted administrators and monitoring all backup-related activities for anomalies. Implement strict authentication and authorization controls, including multi-factor authentication, to reduce risk from compromised credentials. Network segmentation should isolate PBX systems from general user networks to limit exposure. Regularly audit user accounts and permissions to ensure minimal necessary access. Until a patch is available, consider disabling the Backup and Restore feature if feasible or using compensating controls such as file integrity monitoring on PBX systems. Maintain up-to-date backups stored securely offline to enable recovery if exploitation occurs. Stay informed on vendor advisories for patch releases and apply updates promptly once available.