CVE-2025-27920 Overview
CVE-2025-27920 is a directory traversal vulnerability in Srimax Output Messenger versions before 2.0.63. The flaw stems from improper file path handling in user-supplied parameters. Attackers can inject ../ sequences to escape the intended directory and access arbitrary files on the server. Successful exploitation exposes configuration files, credentials, and other sensitive server-side data.
The vulnerability is tracked under [CWE-24] (Path Traversal: '../filedir'). Microsoft Threat Intelligence attributed active exploitation of this flaw to the Marbled Dust threat actor, who used it as a zero-day for regional espionage. CISA added CVE-2025-27920 to the Known Exploited Vulnerabilities (KEV) Catalog.
Critical Impact
Authenticated attackers can read arbitrary files on the Output Messenger server, leading to credential theft, configuration disclosure, and follow-on compromise of messaging infrastructure.
Affected Products
- Srimax Output Messenger Server before 2.0.63
- Srimax Output Messenger deployments exposed to network-accessible clients
- Enterprise messaging environments using vulnerable Output Messenger builds
Discovery Timeline
- 2025-05-05 - CVE-2025-27920 published to NVD
- 2025-05-12 - Microsoft publishes analysis of Marbled Dust exploitation of the Output Messenger zero-day
- 2025-11-05 - Last updated in NVD database
Technical Details for CVE-2025-27920
Vulnerability Analysis
The vulnerability resides in the file-handling logic of the Output Messenger server. Request parameters that reference filenames or paths are passed to file system APIs without canonicalization. An authenticated attacker submits a request containing relative path traversal sequences such as ../../../../etc/passwd or Windows equivalents. The server resolves the path outside the intended directory and returns the file contents to the attacker.
Microsoft reporting indicates the Marbled Dust group used this flaw to collect data from the Output Messenger Server Manager application. Targets included entities linked to the Kurdish military in Iraq. The attack chain combined traversal with credential collection to pivot deeper into victim networks.
Root Cause
The root cause is missing input validation and path canonicalization on file path parameters. The server trusts client-supplied path components and does not enforce a chroot-style boundary. There is no allowlist for permitted directories and no rejection of .. segments before file system access.
Attack Vector
The attack vector is network-based and requires low-privilege authentication on the Output Messenger application. An attacker with any valid account can craft HTTP requests with traversal sequences in vulnerable parameters. No user interaction is required. Successful requests return arbitrary file contents, including configuration files containing database connection strings, API keys, and stored credentials.
The vulnerability manifests when relative path segments reach a file read API such as File.ReadAllBytes or equivalent. See the OutputMessenger advisory and the Microsoft Marbled Dust analysis for technical details.
Detection Methods for CVE-2025-27920
Indicators of Compromise
- HTTP requests to Output Messenger endpoints containing ../, ..\\, or URL-encoded variants such as %2e%2e%2f
- Unexpected reads of system files like /etc/passwd, web.config, or Output Messenger configuration files by the Output Messenger service account
- Outbound connections from Output Messenger servers to infrastructure linked to Marbled Dust as documented in Microsoft Threat Intelligence reporting
- Anomalous authentication followed by sequential file-access requests within a short window
Detection Strategies
- Inspect application and web server logs for traversal patterns in query strings, POST bodies, and URI paths targeting Output Messenger
- Alert on Output Messenger process activity that reads files outside its installation directory
- Correlate authenticated sessions with high-volume file access requests across distinct paths
- Deploy behavioral endpoint monitoring on the Output Messenger host to flag unusual file-read patterns by the service process
Monitoring Recommendations
- Forward Output Messenger server logs, IIS or reverse proxy logs, and host telemetry to a centralized SIEM such as Singularity AI SIEM for rule-based and behavioral analysis
- Establish a baseline of normal file access by the Output Messenger service and alert on deviations
- Monitor for new local accounts, scheduled tasks, or credential dumps on Output Messenger servers after suspected traversal activity
How to Mitigate CVE-2025-27920
Immediate Actions Required
- Upgrade Output Messenger Server and clients to version 2.0.63 or later without delay
- Rotate any credentials, API keys, and certificates stored on or accessible from Output Messenger servers
- Review server file system and authentication logs for evidence of prior exploitation back to early 2025
- Restrict network access to the Output Messenger management interface to trusted administrative networks only
Patch Information
Srimax released a fixed build in Output Messenger 2.0.63. The patch enforces path validation on file parameters and rejects traversal sequences. Refer to the vendor advisory for upgrade instructions and the CISA KEV entry for federal remediation deadlines.
Workarounds
- If immediate patching is not possible, place the Output Messenger server behind a web application firewall configured to block ../, ..\\, and encoded traversal patterns
- Limit Output Messenger service account privileges to the minimum file system scope required for operation
- Disable external exposure of the Output Messenger Server Manager interface until the patched version is deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
