Cyber Resilience

CVE-2025-27920

HighCISA KEVActive ExploitationEUVD Exploited

Published: 05 May 2025

Published
05 May 2025
Modified
05 November 2025
KEV Added
19 May 2025
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.5015 97.9th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27920 is a high-severity Path Traversal: '../filedir' (CWE-24) vulnerability in Srimax Output Messenger. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Output Messenger before version 2.0.63 is affected by a directory traversal vulnerability (CWE-24) stemming from improper file path handling that permits ../ sequences in parameters. This flaw enables access to files outside the intended directory and can result in configuration leakage or arbitrary file reads. The issue carries a CVSS 3.1 score of 7.2 with network attack vector, low complexity, and no authentication or user interaction required.

Remote unauthenticated attackers can exploit the weakness over the network to read sensitive files on affected installations, potentially exposing configuration data or other restricted content. The changed scope in the CVSS vector indicates the impact can extend beyond the vulnerable component itself.

The vendor advisory at outputmessenger.com/cve-2025-27920 and the product site recommend upgrading to version 2.0.63 or later. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active in-the-wild use.

Microsoft has attributed exploitation of the flaw as a zero-day to the Marbled Dust threat actor for regional espionage operations. The EPSS score reached a peak of 0.5202 with a current value of 0.5015.

EU & UK References

Vulnerability details

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

CWE(s)
KEV Date Added
19 May 2025

Related Threats

Threat-Actor AttributionAI

Marbled Dust (G1041)
Microsoft attributes exploitation of this Output Messenger zero-day to Marbled Dust for regional espionage (May 2025 blog).

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1547.001 Registry Run Keys / Startup Folder Persistence
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
Why these techniques?

Directory traversal enables reading sensitive files outside intended directory (T1005), uploading malicious files like OMServerService.vbs to startup directory for persistence (T1547.001, T1105), and exploitation of public-facing application vulnerability (T1190).

CVEs Like This One

CVE-2026-39813Shared CWE-24
CVE-2026-22810Shared CWE-24
CVE-2026-41082Shared CWE-24
CVE-2026-40318Shared CWE-24
CVE-2025-0390Shared CWE-24
CVE-2025-67364Shared CWE-24
CVE-2025-63298Shared CWE-24
CVE-2025-61318Shared CWE-24
CVE-2026-28427Shared CWE-24
CVE-2025-53513Shared CWE-24

Affected Assets

srimax
output messenger
≤ 2.0.63

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of file-path parameters to reject ../ sequences that enable the directory traversal in CVE-2025-27920.

prevent

Enforces access-control policy on file resources so that traversal attempts cannot reach files outside the application's authorized directory.

prevent

Controls information flow between subjects and objects, blocking unauthorized leakage of configuration or sensitive files via crafted path inputs.

References