CVE-2025-27920
Published: 05 May 2025
Summary
CVE-2025-27920 is a high-severity Path Traversal: '../filedir' (CWE-24) vulnerability in Srimax Output Messenger. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Output Messenger before version 2.0.63 is affected by a directory traversal vulnerability (CWE-24) stemming from improper file path handling that permits ../ sequences in parameters. This flaw enables access to files outside the intended directory and can result in configuration leakage or arbitrary file reads. The issue carries a CVSS 3.1 score of 7.2 with network attack vector, low complexity, and no authentication or user interaction required.
Remote unauthenticated attackers can exploit the weakness over the network to read sensitive files on affected installations, potentially exposing configuration data or other restricted content. The changed scope in the CVSS vector indicates the impact can extend beyond the vulnerable component itself.
The vendor advisory at outputmessenger.com/cve-2025-27920 and the product site recommend upgrading to version 2.0.63 or later. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active in-the-wild use.
Microsoft has attributed exploitation of the flaw as a zero-day to the Marbled Dust threat actor for regional espionage operations. The EPSS score reached a peak of 0.5202 with a current value of 0.5015.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13464
Vulnerability details
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
- CWE(s)
- KEV Date Added
- 19 May 2025
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal enables reading sensitive files outside intended directory (T1005), uploading malicious files like OMServerService.vbs to startup directory for persistence (T1547.001, T1105), and exploitation of public-facing application vulnerability (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of file-path parameters to reject ../ sequences that enable the directory traversal in CVE-2025-27920.
Enforces access-control policy on file resources so that traversal attempts cannot reach files outside the application's authorized directory.
Controls information flow between subjects and objects, blocking unauthorized leakage of configuration or sensitive files via crafted path inputs.