Microsoft Warns of Active Cyber Threat Exploiting Output Messenger Vulnerability
Microsoft has warned of an ongoing cyber threat exploiting a vulnerability in Output Messenger. Despite a patch being available since December 2024, unprotected instances remain at risk. The attack, attributed to the Turkish-linked cyber-espionage group Marbled Dust, allows unauthorized access to sensitive files.
The vulnerability, identified as CVE-2025-27920, is a directory traversal attack affecting Output Messenger versions 2.0.62 and earlier. It enables the threat actor to access files outside the intended directory, potentially exposing sensitive information.
Marbled Dust, active since at least 2019, has targeted entities in Europe and the Middle East associated with the Kurdish military operating in Iraq. The group's latest campaign began in April 2024 and is still ongoing. This marks a significant development in Marbled Dust's capabilities, showcasing increased technical sophistication.
The organization that reported the vulnerability on May 5, 2025, remains unknown. Despite the issue being known since April 2024 and a patch being released, exploitation continues on unpatched instances. Microsoft patched the vulnerability in version 2.0.63, but users are urged to update to the latest version to protect against this active threat.
Organizations using Output Messenger are advised to update to the patched version 2.0.63 or later to mitigate the risk of unauthorized access to sensitive files. The ongoing campaign by Marbled Dust underscores the importance of prompt vulnerability patching and robust cybersecurity measures.
