CVE-2025-27591 in below
Summary
by MITRE • 03/11/2025
A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability described in CVE-2025-27591 represents a critical privilege escalation flaw within the Below service ecosystem that persisted through versions prior to v0.9.0. This security weakness stems from improper directory permissions that created a world-writable directory structure at /var/log/below, fundamentally undermining the system's security model and providing malicious local users with unprecedented access to critical system resources. The flaw aligns with CWE-732, which specifically addresses inadequate permissions for critical resources, and demonstrates how seemingly minor misconfigurations can create catastrophic security implications.
The technical implementation of this vulnerability exploits the fundamental principle of Unix/Linux file permissions where a world-writable directory allows any local user to create, modify, or delete files within that location. Attackers can leverage this by creating symbolic links within the vulnerable directory that point to sensitive system files such as /etc/shadow, which contains critical user credential information. This symlink manipulation technique enables unprivileged users to either modify the target files directly through the symbolic link or to replace them entirely, effectively gaining root-level access to the system. The attack vector operates through the principle of privilege escalation by abuse of file system permissions and symbolic link manipulation.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it fundamentally compromises the integrity and confidentiality of the entire system. Local unprivileged users who exploit this vulnerability can potentially access, modify, or delete critical system files including password hashes, system configuration data, and other sensitive information. This creates a persistent backdoor that attackers can use to maintain long-term access to the system while remaining undetected. The vulnerability also violates the principle of least privilege and demonstrates a failure in the principle of least functionality, where unnecessary permissions were granted to system directories that should have been restricted to root access only.
Mitigation strategies for CVE-2025-27591 must address both immediate remediation and long-term security hardening. The primary fix involves updating the Below service to version 0.9.0 or later where the vulnerable directory permissions have been corrected to prevent world-writable access. System administrators should also implement immediate checks to verify that no world-writable directories exist in critical system locations and should conduct comprehensive audits of file permissions across all system components. The remediation process should include setting proper ownership and permissions on the /var/log/below directory, typically requiring root ownership with restrictive permissions such as 700 or 750. Additionally, organizations should implement regular security scanning procedures to detect similar permission misconfigurations and should consider implementing file integrity monitoring solutions to detect unauthorized changes to critical system directories and files. This vulnerability exemplifies the importance of proper privilege management and the principle of least privilege enforcement in system security architecture.