Vulnerability in Output Messenger actively exploited
Take action: If you're using Output Messenger, immediately update to version 2.0.63 for Windows or 2.0.62 for Server. It has a flaw that's being actively exploited by hackers.
Learn More
A vulnerability in Output Messenger has been actively exploited since April 2025, targeting users associated with the Kurdish military in Iraq It's suspected that the cyberespionage group known as Marbled Dust is behind the attacks.
Microsoft Threat Intelligence discovered this campaign and identified the security flaw, which has been fixed by the application's developer Srimax. The attackers demonstrated advanced technical capabilities by leveraging this previously unknown vulnerability as part of a targeted espionage operation, suggesting an escalation in their targeting priorities or increased urgency in their operational goals.
- The actively exploited flaw is CVE-2025-27920 (CVSS score 9.8): A directory traversal vulnerability in the Output Messenger Server Manager application that allows authenticated users to upload malicious files into the server's startup directory. This vulnerability enables attackers to access files outside the intended directory or deploy malicious payloads on the server's startup folder.
- Microsoft identified a secondary vulnerability tracked as CVE-2025-27921 (CVSS score 6.1), which is also patched. No exploitation of this flaw has been observed.
Microsoft Threat Intelligence has documented the attack chain employed by Marbled Dust. Once Marbled Dust gains access to the Output Messenger server by exploiting the vulnerability, they can:
- Access all user communications indiscriminately
- Steal sensitive data
- Impersonate users
- Gain unauthorized access to internal systems
- Cause operational disruptions
- Lead to widespread credential compromise
Microsoft Threat Intelligence recommends users upgrade Output Messenger to its latest version:
- Version 2.0.63 for Windows
- Version 2.0.62 for Server
