Home

Description

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

PUBLISHED Reserved 2025-03-10 | Published 2025-05-05 | Updated 2025-10-21 | Assigner mitre




HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA Known Exploited Vulnerability

Date added 2025-05-19 | Due date 2025-06-09

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-24 Path Traversal: '../filedir'

Product status

Default status
unaffected

Any version before 2.0.63
affected

References

www.microsoft.com/...utput-messenger-for-regional-espionage/ third-party-advisory

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-27920 government-resource

www.srimax.com/products-2/output-messenger/

www.outputmessenger.com/cve-2025-27920/

cve.org (CVE-2025-27920)

nvd.nist.gov (CVE-2025-27920)

Download JSON