CVE-2025-30005 is a path traversal vulnerability categorized under CWE-22, affecting Xorcom CompletePBX, a telephony system widely used for PBX services. The flaw exists in the Diagnostics reporting module, which improperly limits pathname inputs, enabling an attacker with authenticated high privileges to traverse directories outside the intended scope. This allows reading arbitrary files on the underlying system, potentially exposing sensitive configuration files, credentials, or other critical data. Furthermore, the vulnerability permits deletion of any retrieved file instead of generating the expected diagnostic report, impacting data integrity. The vulnerability affects all CompletePBX versions up to and including 5.2.35. The CVSS 3.1 base score is 6.7, reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), with high confidentiality and integrity impacts (C:H/I:H) and low availability impact (A:L). No public exploits have been reported yet, but the vulnerability poses a significant risk if exploited by insiders or attackers who have obtained privileged access. The lack of patch links suggests that fixes may be pending or not yet publicly released. The vulnerability could be leveraged to compromise system confidentiality and integrity, potentially leading to further lateral movement or data exfiltration within affected environments.

For European organizations, the impact of this vulnerability can be substantial, particularly for those relying on CompletePBX for critical telephony infrastructure. Unauthorized reading of arbitrary files could expose sensitive customer data, internal communications, configuration files, and credentials, leading to data breaches and compliance violations under GDPR. The ability to delete files covertly can disrupt forensic investigations and system integrity, complicating incident response. Since the vulnerability requires high privilege authentication, insider threats or compromised privileged accounts pose the greatest risk. Telephony systems are often integrated with other enterprise services, so exploitation could facilitate lateral movement and broader network compromise. The medium CVSS score reflects moderate ease of exploitation but significant confidentiality and integrity consequences. Organizations in sectors such as finance, healthcare, and government, where telephony systems handle sensitive information, are particularly vulnerable. Additionally, disruption or manipulation of telephony services can impact business continuity and customer trust.

Organizations should immediately audit access controls to the Diagnostics reporting module, ensuring only trusted administrators have access. Implement strict monitoring and logging of all privileged user activities related to CompletePBX. Until patches are available, consider disabling or restricting the Diagnostics reporting functionality if feasible. Employ file integrity monitoring solutions to detect unauthorized file deletions or modifications. Conduct regular reviews of privileged accounts and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of credential compromise. Network segmentation should isolate telephony systems from general IT infrastructure to limit lateral movement. Stay informed on vendor advisories for patch releases and apply updates promptly once available. Additionally, perform vulnerability scanning and penetration testing focused on telephony infrastructure to identify and remediate related weaknesses.