CVE-2025-63406 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-63406?

CVE-2025-63406 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on GroupOffice installations via improper input validation in the dbToApi() function and eval() usage in FunctionField.php. It affects all GroupOffice versions before v25.0.47 and v6.8.136. Attackers can exploit this to gain full control of affected systems.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on GroupOffice installations via improper input validation in the dbToApi() function and eval() usage in FunctionField.php. It affects all GroupOffice versions before v25.0.47 and v6.8.136. Attackers can exploit this to gain full control of affected systems.

💻 Affected Systems

Products:

Intermesh BV GroupOffice

Versions: All versions before v25.0.47 and v6.8.136

Operating Systems: Any OS running GroupOffice (typically Linux)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all GroupOffice installations with vulnerable versions regardless of configuration.

📦 What is this software?

Group Office by Group Office

View all CVEs affecting Group Office →

Group Office by Group Office

View all CVEs affecting Group Office →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining root/admin privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web shell installation, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF rules blocking malicious payloads, and restricted file permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public PoC available on GitHub demonstrates exploitation. Attack requires network access to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v25.0.47 or v6.8.136

Vendor Advisory: https://www.group-office.com/

Restart Required: Yes

Instructions:

1. Backup your GroupOffice installation and database. 2. Download latest version from official GroupOffice website. 3. Follow upgrade instructions for your version path. 4. Restart web server services. 5. Verify successful upgrade.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Block malicious eval() and dbToApi() payloads at network perimeter

File Permission Restriction

linux

Restrict write permissions to FunctionField.php and related directories

chmod 644 /path/to/GroupOffice/modules/addressbook/model/FunctionField.php
chown root:www-data /path/to/GroupOffice/modules/addressbook/model/

🧯 If You Can't Patch

Isolate vulnerable systems in separate network segment with strict firewall rules
Implement application-level input validation and sanitization for all user inputs

🔍 How to Verify

Check if Vulnerable:

Check GroupOffice version in admin panel or via version.php file

Check Version:

grep -r '\$version' /path/to/groupoffice/version.php 2>/dev/null || cat /path/to/groupoffice/version.php

Verify Fix Applied:

Confirm version is v25.0.47 or higher (for v25 branch) or v6.8.136 or higher (for v6 branch)

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to addressbook endpoints
eval() function calls in web server logs
Suspicious file creation in web directories

Network Indicators:

HTTP requests containing malicious PHP code patterns
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri="*addressbook*" AND (method="POST" AND (body="*eval(*" OR body="*dbToApi*")))

📊 Metadata

CVE ID: CVE-2025-63406

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.49% exploit probability (64.8th percentile)

Published: November 13, 2025

Last Updated: January 9, 2026

🔗 References

https://github.com/WinDyAlphA/CVE-2025-63406-PoC Exploit
https://noahheraud.com/posts/CVE-2025-63406/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63406, you might also want to check these: