CVE-2025-30004 is an OS command injection vulnerability identified in the Xorcom CompletePBX product, specifically affecting all versions up to and including 5.2.35. The vulnerability exists in the Task Scheduler functionality accessible by administrators. Due to improper neutralization of special characters in OS commands (classified under CWE-78), an attacker with at least limited privileges (PR:L) can inject arbitrary commands that the system executes with root-level privileges. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, as attackers can fully compromise the system, potentially leading to data theft, service disruption, or pivoting within the network. Although no public exploits have been reported yet, the nature of the vulnerability and its ease of exploitation make it a critical risk for organizations relying on CompletePBX for their telephony infrastructure. The lack of available patches at the time of publication necessitates immediate risk mitigation through access controls and monitoring.

For European organizations, the impact of this vulnerability is significant, especially for those using Xorcom CompletePBX in their telephony and VoIP systems. Successful exploitation allows attackers to gain root access, leading to full system compromise. This can result in interception or manipulation of voice communications, disruption of telephony services, unauthorized access to sensitive data, and potential lateral movement within corporate networks. Given the critical role of telephony in business operations, such compromises could lead to operational downtime, financial losses, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and reputational damage. The vulnerability's remote exploitability and lack of required user interaction increase the risk of automated or targeted attacks against European enterprises, telecom providers, and government agencies.

1. Immediately restrict administrative access to the Task Scheduler functionality to trusted personnel only, ideally through network segmentation and strict access control lists (ACLs). 2. Monitor logs and network traffic for unusual command execution patterns or unauthorized access attempts related to CompletePBX. 3. Apply vendor patches or updates as soon as they become available; maintain close communication with Xorcom for patch release notifications. 4. Employ application-layer firewalls or intrusion prevention systems (IPS) to detect and block suspicious command injection attempts targeting CompletePBX interfaces. 5. Conduct regular security audits and penetration testing focused on telephony infrastructure to identify and remediate similar vulnerabilities. 6. Implement multi-factor authentication (MFA) for administrative accounts to reduce the risk of credential compromise. 7. Backup configuration and system data regularly to enable rapid recovery in case of compromise.