cbcvebase.
CVE-2025-27920
published 2025-05-05

CVE-2025-27920: Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-09
Exploited in the wild
EPSS
1.81%
75.9th percentile
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

Affected

1 ranges
VendorProductVersion rangeFixed in
srimaxoutput_messenger< 2.0.632.0.63

Detection & IOCsextracted from sources · hover to see the quote

domainapi.wordinfos[.]com
filenameOMServerService.exe
command../
  • Monitor for directory traversal sequences (../) in Output Messenger server request parameters, which are the core exploit mechanism for CVE-2025-27920.
  • Hunt for the presence of OMServerService.exe on Output Messenger server hosts, particularly in the server's startup folder, as this is the backdoor dropped post-exploitation.
  • Alert on network connections from Output Messenger server processes to api.wordinfos[.]com, which is the C2 domain used by the Marbled Dust backdoor for victim identification and tasking.
  • Detect RAR archive creation activity on Output Messenger server hosts shortly after suspicious file collection commands, as this is the observed exfiltration staging technique used by Marbled Dust.
  • Investigate Output Messenger deployments for unauthorized file writes into the server's startup folder, which is the persistence mechanism used to deploy the backdoor payload.
  • Monitor for Output Messenger client connections to unexpected external IP addresses shortly after server compromise, as this pattern was observed for data exfiltration to Marbled Dust infrastructure.
  • ·Exploitation requires prior authentication to the Output Messenger Server Manager application; unauthenticated access alone is insufficient to trigger the directory traversal.
  • ·Marbled Dust is assessed to obtain valid credentials via DNS hijacking or typo-squatted domains prior to exploitation, meaning credential interception may precede the directory traversal attack in the kill chain.
  • ·Only Output Messenger versions prior to 2.0.63 are vulnerable; the patch was released in December and the fixed version is V2.0.63.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.