SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27591

CVE-2025-27591: Facebook Below Privilege Escalation Flaw

CVE-2025-27591 is a privilege escalation vulnerability in Facebook Below versions before v0.9.0. The flaw allows local users to gain root access via symlink attacks. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-27591 Overview

A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.

Critical Impact

Potential for local attackers to gain root privileges

Affected Products

  • Facebook Below

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Facebook
  • Not Available - CVE CVE-2025-27591 assigned
  • Not Available - Facebook releases security patch
  • 2025-03-11 - CVE CVE-2025-27591 published to NVD
  • 2025-07-03 - Last updated in NVD database

Technical Details for CVE-2025-27591

Vulnerability Analysis

This vulnerability arises from improper permissions on a directory (/var/log/below) created by the Below service. It is world-writable, which allows attackers to perform symlink attacks, redirecting the service to manipulate critical system files and potentially escalate privileges.

Root Cause

The creation of a world-writable directory without proper checks or restrictions allows tampering by unauthorized users.

Attack Vector

Local

bash
# Example exploitation code (sanitized)
ln -s /etc/shadow /var/log/below/malicious_link

Detection Methods for CVE-2025-27591

Indicators of Compromise

  • Unauthorized changes to /etc/shadow
  • Suspicious symlinks in /var/log/below
  • Unexpected user accounts with elevated privileges

Detection Strategies

Monitoring for changes in file permissions and symlink creation in the /var/log/below directory can indicate exploitation attempts. File integrity monitoring tools are recommended.

Monitoring Recommendations

Implement continuous monitoring of critical directories and system files for unauthorized access or modifications.

How to Mitigate CVE-2025-27591

Immediate Actions Required

  • Restrict permissions on /var/log/below
  • Audit existing symlinks and unauthorized access
  • Implement proper directory access controls

Patch Information

Apply the patch released by Facebook available at:
Patch Link

Workarounds

If the patch cannot be applied immediately, restrict directory access permissions using chmod:

bash
# Configuration example
chmod 750 /var/log/below

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne