CVE-2025-27920: Zero-Day, Total Compromise, Zero Chance
When a 0day lingers unnoticed, the wrong people end up with access to sensitive secrets.
When a 0day lingers unnoticed, the wrong people end up with access to sensitive secrets.
The APT group Marbled Dust, linked to the Turkish government, carried out a cyberespionage campaign targeting users of Output Messenger, exploiting a zero-day vulnerability in the enterprise messaging platform. Their targets included entities connected to Kurdish military groups in Iraq.
The attack and the vulnerability — tracked as CVE-2025-27920 — were discovered by Microsoft Threat Intelligence. The flaw resides in Output Messenger Server Manager and is a directory traversal vulnerability, allowing authenticated attackers to access files outside the permitted directory structure — including configuration files, user data, and even source code. Beyond stealing information, the bug also enables attackers to place a malicious executable in the server's startup folder.
The vulnerability was patched by Output Messenger’s developer, Srimax, in version V2.0.63, released in December 2024. However, the attack specifically targeted organizations that had failed to apply the update. Once inside, the attackers deployed a backdoor named OMServerService.exe, which connected to a command-and-control server under Marbled Dust’s control and exfiltrated victim data.
It remains unclear how the attackers initially obtained authentication credentials in each case. Microsoft suspects the use of credential interception techniques such as DNS spoofing and typosquatting domains — methods previously employed by Marbled Dust in MITM attacks to harvest credentials.
By compromising Output Messenger’s server component, the attackers gained full access to user communications, could impersonate users, infiltrate internal systems, and steal sensitive information. In one confirmed incident, the Output Messenger client on an infected machine established a connection to a Marbled Dust-linked IP address immediately after the malware received a command to collect and archive files.
Marbled Dust — also known as Sea Turtle, SILICON, and UNC1326 — has been active across the Middle East and Europe, with a focus on telecom providers, IT infrastructures, and politically sensitive organizations, particularly those opposing the Turkish government. The group has previously been linked to attacks on Dutch ISPs and Kurdish websites between 2021 and 2023.
According to Microsoft, the successful use of this zero-day indicates a significant advancement in Marbled Dust’s technical capabilities, possibly reflecting a shift in the group’s priorities toward more urgent or large-scale operations. The targeting of Output Messenger may also suggest that corporate communications infrastructure is becoming an increasingly attractive entry point for cyberespionage.
