CVE-2025-30006 is a reflected cross-site scripting (XSS) vulnerability identified in the administrative control panel of Xorcom CompletePBX, a VoIP PBX system widely used for telephony management. The vulnerability arises from improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the affected versions up to but not including 5.2.35 fail to adequately sanitize input parameters, allowing an attacker to craft malicious URLs or payloads that, when visited by an administrative user, execute arbitrary JavaScript code in the context of the administrative interface. This can lead to theft of session tokens, manipulation of administrative functions, or redirection to malicious sites. The attack vector is remote and network-based, requiring no authentication but necessitating user interaction (clicking a malicious link). The vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS 3.1 score of 6.1 reflects a medium severity level due to the ease of exploitation and potential impact on sensitive administrative functions. No public exploits or patches have been reported at the time of disclosure, indicating a window of exposure for affected users. The vulnerability's scope is limited to the administrative control panel, which is typically accessed by a restricted set of users, but successful exploitation could lead to significant compromise of the PBX system and downstream telephony infrastructure.

For European organizations, the impact of CVE-2025-30006 can be significant, particularly for those relying on Xorcom CompletePBX for critical telephony services. Exploitation could allow attackers to hijack administrative sessions, manipulate call routing, intercept or redirect calls, and potentially gain footholds for further network intrusion. Confidentiality of administrative credentials and session tokens is at risk, which could lead to unauthorized access to sensitive telephony configurations and user data. Integrity of the PBX configuration may be compromised, affecting business communications and potentially causing operational disruptions. Although availability is not directly impacted, the indirect effects of compromised telephony systems can disrupt business continuity. European organizations in sectors such as finance, healthcare, and government, which rely heavily on secure communications, are particularly vulnerable. The lack of known exploits reduces immediate risk but also means organizations must proactively address the vulnerability before attackers develop weaponized exploits.

To mitigate CVE-2025-30006, organizations should implement the following specific measures: 1) Immediately restrict access to the CompletePBX administrative control panel using network-level controls such as VPNs, IP whitelisting, or firewall rules to limit exposure to trusted administrators only. 2) Employ web application firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting the administrative interface. 3) Encourage administrators to avoid clicking on untrusted links and educate them about phishing risks associated with XSS attacks. 4) Implement Content Security Policy (CSP) headers on the administrative interface to restrict the execution of unauthorized scripts. 5) Monitor administrative access logs for unusual activity or repeated suspicious requests that may indicate exploitation attempts. 6) Coordinate with Xorcom for timely patch deployment once available, and test updates in a controlled environment before production rollout. 7) Consider deploying multi-factor authentication (MFA) for administrative access to reduce the impact of stolen session tokens. 8) Regularly audit and update the PBX system and related infrastructure to minimize exposure to known vulnerabilities.