Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: CVE-2025-27920 Directory Traversal Vulnerability in Output Messenger leading to Remote Code Execution is Exploited, Patch Immediately!
Image
Published : 13/05/2025
* Last update: 13/05/2025
* Affected software: Output Messenger before v2.0.63
* Type: Directory Traversal, Reflected Cross-Site Scripting. Could lead to Remote Code Execution
* CVE/CVSS:
→CVE-2025-27920: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→CVE-2025-27921: CVSS 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Sources
Microsoft Security - https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/
Risks
Microsoft discovered critical vulnerability ‘CVE-2025-27920’ affecting the messaging application “Output Messenger”. Microsoft additionally observed exploitation of the vulnerability since April 2024. According to Microsoft, the attacker needs to be authenticated, although the Output Messenger advisory indicates that privileges are not required to exploit the vulnerability.
An attacker could upload malicious files into the server’s startup directory by exploiting this directory traversal vulnerability. This allows an attacker to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, possibly leading to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.
A second vulnerability ‘CVE-2025-27921’ was discovered by Microsoft that is not being exploited. Applying the patches will also fix this vulnerability which could lead to Remote Code Execution in the victim’s browser.
Description
CVE-2025-27920 - Directory Traversal Vulnerability
This vulnerability allows remote attackers to access or execute arbitrary files by manipulating file paths with ../ sequences. By exploiting this flaw, attackers can navigate outside the intended directory, potentially exposing or modifying sensitive files on the server.
CVE-2025-27921 - Reflected Cross-Site Scripting (XSS) Vulnerability
This vulnerability occurs when user-controlled input is reflected back into the browser without proper sanitization or encoding. This allows attackers to inject and execute arbitrary JavaScript in the victim’s browser, leading to potential exploitation of the session or other client-side attacks.
This vulnerability could also lead to Remote Code Execution in the context of the victim’s session.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Output Messenger - https://www.outputmessenger.com/cve-2025-27920/
Output Messenger - https://www.outputmessenger.com/cve-2025-27921/
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-27920
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-27921