CVE-2025-27920
CVE-2025-27920
In short
Output Messenger versions before 2.0.63 allow attackers to access files outside the intended folder using path tricks (../ sequences), potentially exposing sensitive configuration files and other private data.
Technical detail
Directory traversal vulnerability in Output Messenger <2.0.63 via improper file path validation in parameters. Attackers can inject ../ sequences to traverse directories and read arbitrary files, compromising confidentiality of configuration and sensitive data without requiring authentication.
Summary generated and translated by AI from the official description.
Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products
Srimax · Output MessengerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27920https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/https://www.outputmessenger.com/cve-2025-27920/https://www.srimax.com/products-2/output-messenger/