CVE-2025-27920
published 2025-05-05CVE-2025-27920: Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-09
Exploited in the wild
EPSS
1.81%
75.9th percentile
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| srimax | output_messenger | < 2.0.63 | 2.0.63 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for directory traversal sequences (../) in Output Messenger server request parameters, which are the core exploit mechanism for CVE-2025-27920. ↗
- →Hunt for the presence of OMServerService.exe on Output Messenger server hosts, particularly in the server's startup folder, as this is the backdoor dropped post-exploitation. ↗
- →Alert on network connections from Output Messenger server processes to api.wordinfos[.]com, which is the C2 domain used by the Marbled Dust backdoor for victim identification and tasking. ↗
- →Detect RAR archive creation activity on Output Messenger server hosts shortly after suspicious file collection commands, as this is the observed exfiltration staging technique used by Marbled Dust. ↗
- →Investigate Output Messenger deployments for unauthorized file writes into the server's startup folder, which is the persistence mechanism used to deploy the backdoor payload. ↗
- →Monitor for Output Messenger client connections to unexpected external IP addresses shortly after server compromise, as this pattern was observed for data exfiltration to Marbled Dust infrastructure. ↗
- ·Exploitation requires prior authentication to the Output Messenger Server Manager application; unauthenticated access alone is insufficient to trigger the directory traversal. ↗
- ·Marbled Dust is assessed to obtain valid credentials via DNS hijacking or typo-squatted domains prior to exploitation, meaning credential interception may precede the directory traversal attack in the kill chain. ↗
- ·Only Output Messenger versions prior to 2.0.63 are vulnerable; the patch was released in December and the fixed version is V2.0.63. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66q6-24vw-2g98: Output Messenger before 2
ghsa_unreviewed·2025-05-05
CVE-2025-27920 [CRITICAL] CWE-22 GHSA-66q6-24vw-2g98: Output Messenger before 2
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
VulnCheck
Srimax Output Messenger Directory Traversal Vulnerability
vulncheck·2025·CVSS 7.2
CVE-2025-27920 [HIGH] CWE-22 Srimax Output Messenger Directory Traversal Vulnerability
Srimax Output Messenger Directory Traversal Vulnerability
Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
Affected: Srimax Output Messenger
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/; https://hivepro.com/threat-advisory/espionage-ops-exploit-output-messenger-vulnerability/; https://www.cisa.gov/sites/default/files/feeds/kn
Red Hat
fontforge: FontForge: Remote Code Execution via malicious SGI file parsing
vendor_redhat·2025-12-31·CVSS 7.8
CVE-2025-15277 [HIGH] CWE-122 fontforge: FontForge: Remote Code Execution via malicious SGI file parsing
fontforge: FontForge: Remote Code Execution via malicious SGI file parsing
FontForge GUtils SGI File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of scanlines within SGI files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27920.
A flaw was found in FontForge. This vulnerability, a heap-
CISA
Srimax Output Messenger Directory Traversal Vulnerability
cisa·2025-05-19·CVSS 8.8
CVE-2025-27920 [HIGH] CWE-22 Srimax Output Messenger Directory Traversal Vulnerability
Vulnerability: Srimax Output Messenger Directory Traversal Vulnerability
Affected: Srimax Output Messenger
Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.outputmessenger.com/cve-2025-27920/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-27920
Remediation Due Date: 2025-06-09
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Output Messenger flaw exploited as zero-day in espionage attacks
blogs_bleepingcomputer·2025-05-12·CVSS 7.2
CVE-2025-27920 [HIGH] Output Messenger flaw exploited as zero-day in espionage attacks
## Output Messenger flaw exploited as zero-day in espionage attacks
## Sergiu Gatlan
A Türkiye-backed cyberespionage group exploited a zero-day vulnerability to attack Output Messenger users linked to the Kurdish military in Iraq.
Microsoft Threat Intelligence analysts who spotted these attacks also discovered the security flaw ( CVE-2025-27920 ) in the LAN messaging application, a directory traversal vulnerability that can let authenticated attackers access sensitive files outside the intended directory or deploy malicious payloads on the server's startup folder.
"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the a
Bugzilla
CVE-2025-15277 fontforge: FontForge: Remote Code Execution via malicious SGI file parsing
bugzilla·2025-12-31·CVSS 7.8
CVE-2025-15277 [HIGH] CVE-2025-15277 fontforge: FontForge: Remote Code Execution via malicious SGI file parsing
CVE-2025-15277 fontforge: FontForge: Remote Code Execution via malicious SGI file parsing
FontForge GUtils SGI File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of scanlines within SGI files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27920.
https://www.outputmessenger.com/cve-2025-27920/https://www.srimax.com/products-2/output-messenger/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27920https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/
2025-05-05
Published
2025-05-19
Added to CISA KEV
Exploited in the wild