CVE-2025-27920
📋 TL;DR
CVE-2025-27920 is a directory traversal vulnerability in Output Messenger that allows attackers to access sensitive files outside intended directories using path traversal sequences like '../'. This affects all users running Output Messenger versions before 2.0.63, potentially exposing configuration files and other sensitive data.
💻 Affected Systems
- Output Messenger
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through access to sensitive configuration files, credentials, or arbitrary file read/write leading to further exploitation.
Likely Case
Configuration file leakage exposing database credentials, application secrets, and system information that could enable follow-on attacks.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring in place to detect traversal attempts.
🎯 Exploit Status
Exploitation is trivial using '../' sequences. The vulnerability has been actively exploited in the wild according to Microsoft's report on 'Marbled Dust' campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.63
Vendor Advisory: https://www.outputmessenger.com/cve-2025-27920/
Restart Required: Yes
Instructions:
1. Download Output Messenger version 2.0.63 or later from the official website. 2. Backup your current installation and configuration. 3. Run the installer to upgrade. 4. Restart the Output Messenger service. 5. Verify the version is 2.0.63 or higher.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to filter '../' sequences and other path traversal patterns
# Example for web.config (IIS) or appropriate input filtering for your platform
File System Permissions Restriction
allRestrict Output Messenger service account permissions to only necessary directories
# Windows: icacls "C:\Program Files\Output Messenger" /deny SERVICE_ACCOUNT:(OI)(CI)(DE,DC)
# Linux: chmod 750 /opt/outputmessenger && chown root:outputmessenger /opt/outputmessenger
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Output Messenger only from trusted networks
- Deploy a web application firewall (WAF) with rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check the Output Messenger version in the admin panel or via the installed files. Versions below 2.0.63 are vulnerable.Check Version:
# Windows: Check Help > About in Output Messenger Admin Panel
# Linux: Check /opt/outputmessenger/version.txt or similar version fileVerify Fix Applied:
Verify the version shows 2.0.63 or higher in the admin interface and test that '../' sequences in file parameters are properly rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences
- Access to unexpected file paths in application logs
- Failed file access attempts outside normal directories
Network Indicators:
- HTTP requests with encoded '../' sequences (%2e%2e%2f)
- Unusual file access patterns to configuration or system files
SIEM Query:
source="output_messenger.log" AND ("..\/" OR "%2e%2e%2f" OR "..\\" OR path_traversal)🔗 References
- https://www.outputmessenger.com/cve-2025-27920/
- https://www.srimax.com/products-2/output-messenger/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27920
- https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/
