Listen to this Post
How the CVE Works
CVE-2025-27591 is a privilege escalation vulnerability in Below service versions before v0.9.0. The service creates a world-writable directory at /var/log/below, allowing local unprivileged users to manipulate files via symlink attacks. By exploiting this misconfiguration, an attacker could overwrite critical system files like /etc/shadow, leading to root privilege escalation. The vulnerability stems from improper directory permissions and insufficient validation of symbolic links, enabling malicious users to redirect file operations to sensitive locations.
DailyCVE Form
Platform: Below Service
Version: < v0.9.0
Vulnerability: Privilege Escalation
Severity: Critical
Date: 07/03/2025
Prediction: Patch by 08/15/2025
What Undercode Say
Check Below service version below --version Verify directory permissions ls -ld /var/log/below Exploit PoC (hypothetical) ln -s /etc/shadow /var/log/below/malicious_log echo "malicious_content" > /var/log/below/malicious_log
How Exploit
1. Identify Below service version (< v0.9.0).
2. Confirm `/var/log/below` is world-writable.
3. Create symlink to sensitive file (e.g., `/etc/shadow`).
4. Write malicious content via the symlink.
Protection from this CVE
- Update to Below v0.9.0+.
- Restrict `/var/log/below` permissions (e.g.,
chmod 750). - Disable symlink following in service config.
Impact
- Full root access compromise.
- Unauthorized system modifications.
- Potential persistence mechanisms.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
