CVE-2025-27920 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Srimax Output Messenger Directory Traversal Vulnerability

Exploit added

May 19, 2025

Action due

June 9, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-24	Path Traversal: ‘../filedir’

Details

Source:
NVD

Published:
May 5, 2025

Updated:
May 21, 2025

Risk information

CVSS v3

Base score:
7.2

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v2

Not defined