HighCISA KEVExploited in the wildPublic exploit

Directory Traversal in Srimax Output Messenger

IdentifiersCVE-2025-27920CWE-22· Improper Limitation of a Pathname…

CVE-2025-27920 is a directory traversal vulnerability in Srimax Output Messenger affecting version 2.0.62 and earlier releases before 2.0.63. The flaw is caused by improper file path handling in the application, where attacker-controlled path input containing "../" sequences is not properly restricted to the intended directory. Available reporting indicates the issue is reachable through Output Messenger server functionality, including the Server Manager and file-sharing/upload workflow, allowing an authenticated attacker to access files outside the expected directory boundary. Microsoft reporting further indicates the flaw can be used to upload arbitrary files into the server startup directory, enabling execution of attacker-controlled payloads. In observed exploitation, the vulnerability was used to place VBS scripts and Golang backdoors such as OMServerService.exe and OMClientService.exe on victim systems.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can expose configuration files, sensitive user data, source code, and other files outside the intended directory structure. Where the vulnerable file handling is used in upload or server-side file placement operations, the flaw can be escalated from arbitrary file access to arbitrary file write into sensitive locations such as the server startup directory, resulting in remote code execution. Compromise of an Output Messenger server can in turn provide access to communications of all users on the system, enable theft of sensitive data, user impersonation, credential compromise, unauthorized access to internal systems, and operational disruption. The vulnerability has been reported as actively exploited in the wild in espionage operations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to Output Messenger Server Manager and related administrative/file-sharing interfaces to trusted administrators only, limit network exposure, and monitor for path traversal attempts containing "../" sequences. Enforce strong authentication and MFA where possible, as exploitation in reported cases required authenticated access. Inspect startup folders and application-controlled write locations for unauthorized file creation, and monitor for suspicious child processes, script execution, or outbound connections from Output Messenger components, including traffic to unrecognized domains. Additional defensive controls such as WAF rules, IDS/IPS signatures, and strict segmentation of messaging servers may reduce exposure, but patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Upgrade Srimax Output Messenger to version 2.0.63 or later. Srimax patched CVE-2025-27920 in the 2.0.63 release issued in December 2024. Ensure all server and client deployments are updated, especially internet-exposed or centrally managed Output Messenger instances. Review server startup directories, file-sharing paths, and application directories for unauthorized files such as unexpected VBS scripts or executables, and investigate for indicators of compromise if the product was exposed while running a vulnerable version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SrimaxOutput Messengerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app

cyberthroneNews

May 20, 2025

CISA Adds Six Vulnerabilities to KEV Catalog

A directory traversal vulnerability in Srimax Output Messenger that can allow unauthorized access to sensitive files on affected servers.

the hacker newsNews

May 19, 2025

⚡ Weekly Recap: Zero-Day Exploits, Insider Threats, APT Targeting, Botnets and More

A directory traversal vulnerability in Output Messenger (version 2.0.62) that allows remote attackers to access or execute arbitrary files. Exploited as a zero-day by the Marbled Dust threat actor for cyber espionage.

sentinelone blogNews

May 16, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 20

An authenticated directory traversal vulnerability in Output Messenger (noted in v2.0.62) that can allow access to or execution of arbitrary files outside intended directories, enabling follow-on compromise via dropped payloads.

security weekNews

May 13, 2025

Output Messenger Zero-Day Exploited by Turkish Hackers for Iraq Spying

A directory traversal vulnerability in Output Messenger (notably v2.0.62) that can be abused (with authentication/compromised credentials) to access sensitive files and enable remote code execution via arbitrary file access/upload into sensitive server directories (e.g., startup directory).

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware9

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity21

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-27920

NVD

nvd.nist.gov/vuln/detail/CVE-2025-27920

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

Vendor Advisory

outputmessenger.com/cve-2025-27920

Mitigation

microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27920

Product

srimax.com/products-2/output-messenger