CVE-2025-27920: Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in...

9.8 CVSS

Description

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

Known Exploited

🚨 Marked as known exploited on May 19th, 2025 (12 days ago).

Classification

CVE ID: CVE-2025-27920

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 62.5% (probability of being exploited)

EPSS Percentile: 98.24% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27920
https://www.srimax.com/products-2/output-messenger/
https://www.outputmessenger.com/cve-2025-27920/

Timeline

2025-05-05 16:40:21 UTC
CVE

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in...
2025-05-12 19:30:23 UTC
CyberInsider

Zero-day Flaw in Output Messenger Exploited in Espionage Attacks
2025-05-19 18:00:15 UTC
CISA KEV

Srimax Output Messenger Directory Traversal Vulnerability
2025-05-19 18:01:15 UTC
🚨 Marked as Known Exploited