[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability

KETCHUM Steve J * DAS Steve.J.KETCHUM at das.oregon.gov
Mon May 19 15:00:33 PDT 2025 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability. Due to its high visibility, we are providing this in-depth information:

History: On December 25, 2024, Output Messenger published a security advisory regarding the vulnerability in their communication platform. CVE-2025-27920 has been assigned a CVSSv3 score of 7.2 (High) by MITRE and is currently awaiting analysis by NIST.

Affected Versions:

  *   All versions earlier than V2.0.63

Fixed versions:

  *   V2.0.63

For more information directly from Output Messenger, please see the link here: https://www.outputmessenger.com/cve-2025-27920/. Additionally here is Microsoft's write up regarding this vulnerability: https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/.

Intelligence: As of May 19, 2025, CISA has confirmed the vulnerability as being exploited in the wild and has been added to the Known Exploited Vulnerabilities Catalog. This vulnerability has been exploited by Turkish-affiliated espionage threat actor that Microsoft tracks as Marbled Dust. Additionally, it's activities overlap with threat groups tracked by other security researchers as Sea Turtle and UNC1326. Microsoft says Marbled Dust's successful use of the zero-day flaw in Output Messenger is a new behavior.

Workarounds: There is currently no workaround information that has been made available at this time.

How it works:

Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the app's developer, explains in a security advisory issued in December when the bug was patched with the release of Output Messenger V2.0.63. Microsoft revealed on Monday that the hacking group (also tracked as Sea Turtle, SILICON, and UNC1326) targeted users who hadn't updated their systems to infect them with malware after gaining access to the Output Messenger Server Manager application. "While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft said. Next, the attackers deployed a backdoor (OMServerService.exe) onto the victims' devices, which checked connectivity against an attacker-controlled command-and-control domain (api.wordinfos[.]com) and then provided the threat actors with additional information to identify each victim.

Post-Exploit:

Microsoft Threat Intelligence analysts who spotted these attacks also discovered the security flaw (CVE-2025-27920) in the LAN messaging application, a directory traversal vulnerability that can let authenticated attackers access sensitive files outside the intended directory or deploy malicious payloads on the server's startup folder. The attack also infects Windows clients. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe and another backdoor written in Go, OMClientService.exe. The latter connects to a Marbled Dust command-and-control (C2) domain, and in at least one case the victim device connected to an IP address linked to the group, "likely for data exfiltration, as these connections coincide with the threat actor issuing commands to collect files with varying file extensions to a RAR file on the desktop," according to Microsoft.

As of May 19, 2025, Tenable has released no plugins to target this vulnerability.

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services


Cyber Security Services
Enterprise Information Services
Cyber Security Services | CSS
PH: SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
[cid:image002.png at 01DBC8CE.330BC870] [cid:image003.png at 01DBC8CE.330BC870]




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20250519/ad7532dd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 26805 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20250519/ad7532dd/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 32625 bytes
Desc: image003.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20250519/ad7532dd/attachment-0003.png>

More information about the CDP-development mailing list