PoC for CVE-2025-27591 – Local privilege escalation in the below monitoring tool. By symlinking its log file to /etc/passwd, an attacker can inject a root account and gain full system compromise.# below-log-race-poc CVE-2025-27591 Exploit (Below privilege escalation)
## Description
This repository contains a proof-of-concept exploit for **CVE-2025-27591**, a privilege escalation vulnerability in the `below` utility.
The issue arises because `below` mishandles log files under `/var/log/below/`, allowing attackers to replace logs with symlinks to sensitive files such as `/etc/passwd`.
By leveraging this, an unprivileged user can inject a new root user entry and escalate privileges.
## Exploit Script
The exploit is implemented as a simple Bash script (`exploit_CVE-2025-27591.sh`) which:
1. Backs up the original `/etc/passwd`.
2. Creates a malicious symlink from `/var/log/below/error_root.log` to `/etc/passwd`.
3. Runs `below` in a loop until `/etc/passwd` becomes writable.
4. Injects a new root-level user (`root2`, password: `1`).
5. Provides interactive root shell access with `su - root2`.
## Usage
```bash
chmod +x exploit_CVE-2025-27591.sh
./exploit_CVE-2025-27591.sh
su - root2 # password: 1
[4.0K] /data/pocs/14b9e45b5f7d7cdf0a196e76a574054cb52b0240
├── [1.5K] exploit_CVE-2025-27591.sh
├── [1.0K] LICENSE
└── [1.0K] README.md
0 directories, 3 files