CVE-2025-27920 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-05

Added to CISA KEV: 2025-05-19 14 DAYS BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade to Output Messenger version 2.0.63 or later
Review server logs for suspicious directory traversal attempts using '../' patterns
Implement network segmentation and restrict internet access if not required for business operations
Monitor file access logs for unauthorized configuration file access

CVE-2025-27920 is a directory traversal vulnerability affecting the Srimax Output Messenger software ^[3].

Feature	Details
Vulnerability Type	Directory Traversal (Improper File Path Handling) ^[4]
Affected Versions	All versions prior to 2.0.63?id=CVE-2025-27920?kagi_q=CVE-2025-27920
Exploitation	Active (Zero-day) ^[2]
Impact	Unauthorized access to or execution of arbitrary files ^[1]

Active Exploitation and Threat Actors: The vulnerability has been actively exploited in the wild. Notably, the threat actor tracked by Microsoft as "Marbled Dust" has been observed using this zero-day exploit since at least April 2024 to conduct regional espionage, specifically targeting user data in Iraq ^[2].
Attack Method and Requirements: The vulnerability stems from improper handling of file paths. Attackers can exploit this by using `../` (dot-dot-slash) sequences in parameters to escape intended directories and access or execute files outside of the application's restricted folders?id=CVE-2025-27920?kagi_q=CVE-2025-27920 ^[1].
Nature of Attacks: It has been utilized in targeted espionage campaigns rather than broad, automated ransomware attacks ^[2].
Impact: Successful exploitation allows an attacker to gain unauthorized access to sensitive files or execute arbitrary files on the system, potentially leading to data theft or further system compromise ^[1].
Patch Status: The vulnerability is addressed in Output Messenger version 2.0.63 and later. Users are advised to update to the latest version to mitigate this risk?id=CVE-2025-27920?kagi_q=CVE-2025-27920.

CVE-2025-27920: Directory Traversal Vulnerability
This vulnerability allows remote attackers to access or execute arbitrary files by manipulating file paths with `../` sequences.
Marbled Dust leverages zero-day in Output Messenger for regional ...
Since April 2024, the threat actor that Microsoft Threat Intelligence tracks as Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger, a multiplatform chat software. These exploits have r…
CVE-2025-27920 - Srimax Output Messenger Directory Traversal ...
CVE-2025-27920 is a recently discovered directory traversal vulnerability affecting Srimax Output Messenger software.
CVE-2025-27920 Detail - NVD
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

🔴 CVE-2025-27920