CVE-2026-25134
📋 TL;DR
This vulnerability allows remote code execution in Group-Office by exploiting improper input validation in the MaintenanceController's zipLanguage action. Attackers can inject malicious commands through the lang parameter, which gets passed directly to system exec(). All Group-Office instances running vulnerable versions are affected.
💻 Affected Systems
- Group-Office
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, or deployment of ransomware/malware.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though web server compromise still possible.
🎯 Exploit Status
Exploit combines command injection with zip file upload. Public advisory includes technical details making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.150, 25.0.82, or 26.0.5 depending on your branch
Vendor Advisory: https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849
Restart Required: Yes
Instructions:
1. Backup your Group-Office installation and database. 2. Download the patched version from official repository. 3. Replace vulnerable files with patched versions. 4. Restart web server and Group-Office services. 5. Verify fix by checking version.
🔧 Temporary Workarounds
Disable MaintenanceController Access
allRestrict access to the vulnerable endpoint via web server configuration or application firewall.
# For Apache: RewriteRule ^/modules/maintenance/MaintenanceController/zipLanguage - [F]
# For Nginx: location ~ /modules/maintenance/MaintenanceController/zipLanguage { deny all; }
Input Validation Filter
allImplement WAF rules to block malicious lang parameter values containing shell metacharacters.
# Example ModSecurity rule: SecRule ARGS:lang "[;&|`$()]" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Group-Office from critical systems
- Deploy web application firewall with command injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check if your Group-Office version is below 6.8.150, 25.0.82, or 26.0.5 and if /modules/maintenance/MaintenanceController/zipLanguage endpoint is accessible.Check Version:
Check Group-Office admin interface or examine version.php file in installation directoryVerify Fix Applied:
Verify version is 6.8.150, 25.0.82, or 26.0.5 or higher and test that lang parameter injection no longer works.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /modules/maintenance/MaintenanceController/zipLanguage
- Web server logs showing shell metacharacters in lang parameter
- System logs showing unexpected zip or exec commands
Network Indicators:
- HTTP requests with lang parameter containing shell metacharacters
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_server" AND (url="/modules/maintenance/MaintenanceController/zipLanguage" AND (lang="*;*" OR lang="*|*" OR lang="*`*" OR lang="*$(*"))