CVE-2025-27920

What is Srimax Output Messenger?

Output Messenger is an on-premises enterprise instant messaging platform developed by Srimax (India) that allows organizations to run a self-hosted internal chat server. It is used by approximately 2,000 organizations globally, particularly in the Middle East, South Asia, and Southeast Asia, to provide secure internal communications. The platform includes a Server Manager web interface for administration and file management. Because Output Messenger is deployed as internal infrastructure with server-side file access, path traversal vulnerabilities in its file-upload handlers can result in persistent code execution on the host server.

Overview

CVE-2025-27920 is a directory traversal vulnerability (CWE-24) in the Srimax Output Messenger Server Manager file-upload handler. An attacker who can make authenticated requests to the server manager can manipulate the name parameter with ../../ sequences to write arbitrary files to any location on the Windows server filesystem, including the Windows startup folder — enabling persistent code execution on next server boot. Microsoft Threat Intelligence attributed active exploitation to Marbled Dust (also tracked as Sea Turtle / UNC1326), a Türkiye-affiliated espionage group that used the vulnerability as a zero-day against Kurdish military targets in Iraq beginning approximately April 2024 — over a year before the CVE was published.

Affected Versions

Technical Details

The path traversal (CWE-24) is in the Output Messenger Server Manager's file upload endpoint. The handler accepts a name parameter that determines the filename for uploaded content. Without proper validation of ../ sequences in the name value, an attacker can write files to arbitrary filesystem paths:

Exploitation payload example:

name=../../../../../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/OMServerService.vbs

This writes a VBScript file to the Windows startup folder. When the server next reboots, Windows automatically executes all files in the startup folder — providing persistent code execution as the server's service account.

Full Marbled Dust attack chain:

1. Initial access: DNS hijacking or credential theft to obtain authenticated Output Messenger Server Manager access
2. CVE-2025-27920: Directory traversal → drop OMServerService.vbs and OM.vbs to Windows startup folder
3. Startup execution: VBScript launches OMServerService.exe — a GoLang backdoor masquerading as a legitimate Output Messenger process
4. C2 beaconing: Backdoor connects to api.wordinfos[.]com for command-and-control
5. Data exfiltration: SSH tunneling via plink.exe exfiltrates collected data to attacker infrastructure
6. Lateral movement: OMClientService.exe deployed on client machines via the compromised server

Discovery

Microsoft Threat Intelligence (MSTIC) discovered the zero-day exploitation by Marbled Dust and notified Srimax, who released patches. A companion vulnerability CVE-2025-27921 was identified simultaneously but has not been observed exploited in the wild.

Exploitation Context

Marbled Dust (Sea Turtle / UNC1326) is a Türkiye-affiliated espionage group that has historically targeted organizations in conflict with Turkish state interests — particularly Kurdish groups, opposition media, and critics of the Turkish government in Europe and the Middle East. The targeting of Kurdish military entities in Iraq is consistent with Marbled Dust's geopolitical mandate.

Microsoft estimates with moderate confidence that Marbled Dust pre-identified specific Output Messenger deployments used by their targets before initiating the attack — indicating deliberate reconnaissance, not opportunistic scanning. The approximately 13-month zero-day window (April 2024 – May 2025) provided sustained covert access to targeted organizations.

Remediation

1. Upgrade Output Messenger Server to 2.0.62 and Client to 2.0.63 immediately. The CISA deadline was June 9, 2025.
2. Check the Windows startup folder for unexpected VBScript or executable files: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.
3. Hunt for GoLang backdoor indicators: look for OMServerService.exe or OMClientService.exe processes that aren't the legitimate Output Messenger binaries (check file hashes against known-good versions).
4. Block outbound connections to api.wordinfos[.]com and review DNS query logs for this domain.
5. Audit file-upload access logs in the Output Messenger Server Manager for requests with ../ in the name parameter.
6. Restrict Server Manager access to known administrator IP addresses — the file upload endpoint should not be reachable from the internet.