Vulnerability Description
CVE-2025-27920 is a directory traversal vulnerability in Srimax Output Messenger before version 2.0.63, with a CVSS score of 6.5.
This vulnerability enables remote attackers to access or execute arbitrary files by manipulating file paths using ../ sequences. Successful exploitation can allow an attacker to escape the intended directory structure, potentially exposing or modifying sensitive server files.
Threat Activity
According to Microsoft’s Threat Intelligence team, a threat actor they track as Marbled Dust has been actively exploiting unpatched instances of Output Messenger since April 2024. While Microsoft has also disclosed a second vulnerability, CVE-2025-27921 impacting the Output Messenger, no exploitation of that flaw has been observed to date. CISA added CVE-2025-27920 to its Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025.
| Field | Details |
|---|---|
| CVE-ID | CVE-2025-27920 – CVSS 6.5 (medium) – assigned by CISA-ADP |
| Vulnerability Description | Output Messenger before 2.0.63 is vulnerable to a directory traversal attack due to improper file path handling. |
| Date of Disclosure | December 25, 2024 |
| Date Reported as Actively Exploited | May 19, 2025 |
| Affected Assets | Srimax Output Messenger |
| Vulnerable Software Versions | Version 2.0.63. |
| PoC Available? | We did not observe any public exploits available at the time of writing. |
| Exploitation Status | Threat activity related to this vulnerability was observed in April 2024 by Microsoft’s Threat Intelligence team and attributed to a group they track as Marbled Dust. This vulnerability was added to CISA KEV on May 19, 2025. |
| Patch Status | Srimax has provided instructions for downloading Output Messenger version 2.0.63 in their security advisory. |
Censys Perspective
As of this writing, Censys has identified 827 exposed Output Messenger instances that may be vulnerable. Of these exposed devices, 620 appear to be running a version susceptible to the vulnerability. The ten most common vulnerable versions observed are listed below:
| Version | Host Count |
| 2.0.15.0 | 127 |
| 2.0.22.0 | 127 |
| 2.0.18.0 | 99 |
| 2.0.23.0 | 43 |
| 2.0.0.0 | 31 |
| 2.0.10.0 | 27 |
| 1.9.51.0 | 23 |
| 2.0.41.0 | 22 |
| 2.0.61.0 | 20 |
| 2.0.50.0 | 20 |
The queries below can be used to identify internet-facing instances of Srimax Output Messenger, but they are not necessarily vulnerable to the exploit.
host.services.software: (vendor: "Srimax" and product: "Output Messenger") or web.software: (vendor: "Srimax" and product: "Output Messenger")services.software: (vendor="Srimax" and product="Output Messenger") host.services.software: (vendor="Srimax" and product="Output Messenger") or web_entity.instances.software: (vendor="Srimax" and product="Output Messenger")