CVE-2026-25511
📋 TL;DR
This vulnerability allows authenticated users in the System Administrator group of Group-Office to perform Server-Side Request Forgery (SSRF) attacks via the WOPI service discovery URL. Attackers can access internal hosts/ports, exfiltrate response data through the debug system, and read server-side files. This affects Group-Office installations before versions 6.8.150, 25.0.82, and 26.0.5.
💻 Affected Systems
- Group-Office
📦 What is this software?
Group Office by Group Office
Group Office by Group Office
Group Office by Group Office
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of internal network services, data exfiltration from internal systems, and complete server file system access leading to credential theft and lateral movement.
Likely Case
Unauthorized access to internal services, sensitive data exposure from internal APIs or databases, and potential privilege escalation within the Group-Office environment.
If Mitigated
Limited impact if proper network segmentation, authentication controls, and monitoring are in place, though some internal service enumeration may still occur.
🎯 Exploit Status
Exploitation requires authenticated admin access but is straightforward once credentials are obtained. The advisory provides technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.150, 25.0.82, or 26.0.5
Vendor Advisory: https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm
Restart Required: Yes
Instructions:
1. Backup your Group-Office installation and database. 2. Download the patched version from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the web server and Group-Office services. 5. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable WOPI Service
allTemporarily disable the WOPI service discovery functionality to prevent SSRF exploitation.
Edit Group-Office configuration to disable WOPI integration or remove WOPI-related endpoints from web server configuration.
Disable Debug System
allDisable the built-in debug system to prevent exfiltration of SSRF response data.
Set debug mode to false in Group-Office configuration files and ensure debug endpoints are not accessible.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Group-Office servers from internal critical systems.
- Enforce strong authentication controls and monitor for suspicious admin account activity.
🔍 How to Verify
Check if Vulnerable:
Check if your Group-Office version is below 6.8.150, 25.0.82, or 26.0.5 and if WOPI service is enabled.Check Version:
Check the version in Group-Office admin interface or examine the software files for version metadata.Verify Fix Applied:
Confirm the version is 6.8.150, 25.0.82, or 26.0.5 or higher, and test that SSRF attempts via WOPI endpoints are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual WOPI service discovery requests from admin accounts
- Debug system access with unusual response data
- Outbound requests to internal IPs from Group-Office server
Network Indicators:
- HTTP requests to internal services originating from Group-Office server
- Unusual traffic patterns from Group-Office to internal network segments
SIEM Query:
source="groupoffice" AND (uri_path="/wopi*" OR uri_path="/debug*") AND dest_ip IN (RFC1918_IP_RANGES)