CVE-2026-25512: Group-Office RCE Vulnerability

CVE-2026-25512 Overview

Group-Office is an enterprise customer relationship management and groupware tool used by organizations for collaboration and business communication. A critical command injection vulnerability exists in the TNEF attachment handler that allows authenticated attackers to execute arbitrary system commands on the server.

The vulnerable endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call without proper sanitization. By injecting shell metacharacters into the tmp_file parameter, an authenticated attacker can achieve remote code execution (RCE) on the underlying server.

Critical Impact
Authenticated attackers can execute arbitrary system commands on the server, potentially leading to complete system compromise, data exfiltration, lateral movement, and persistent access to the affected infrastructure.

Affected Products

Group-Office versions prior to 6.8.150
Group-Office versions prior to 25.0.82
Group-Office versions prior to 26.0.5

Discovery Timeline

2026-02-04 - CVE CVE-2026-25512 published to NVD
2026-02-05 - Last updated in NVD database

Technical Details for CVE-2026-25512

Vulnerability Analysis

This vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection). The flaw resides in the MessageController.php file within the email module, specifically in the TNEF attachment handling functionality.

When processing TNEF (Transport Neutral Encapsulation Format) attachments, the application constructs a shell command to extract the attachment contents using the tnef command-line utility. The tmp_file parameter supplied by the user is concatenated directly into the command string passed to PHP's exec() function without any escaping or validation of shell metacharacters.

This allows an authenticated attacker to break out of the intended command context by injecting shell metacharacters such as semicolons (;), backticks (`), pipes (|), or command substitution syntax ($()). The injected commands will execute with the privileges of the web server process.

Root Cause

The root cause is the direct concatenation of user-controlled input into a shell command without proper sanitization. The vulnerable code passes the raw $tmpFile->path() value to exec() without using PHP's escapeshellarg() function to neutralize shell metacharacters.

The fix correctly applies escapeshellarg() to both the folder path and file path arguments before passing them to the exec() function, ensuring that any special characters are properly escaped and cannot be interpreted as shell commands.

Attack Vector

The attack requires network access and valid authentication credentials. An authenticated attacker can exploit this vulnerability by:

Authenticating to the Group-Office application
Crafting a malicious request to the email/message/tnefAttachmentFromTempFile endpoint
Injecting shell metacharacters into the tmp_file parameter
Achieving arbitrary command execution on the underlying server

php

// Vulnerable code (before patch)
$tmpFolder = \GO\Base\Fs\Folder::tempFolder(uniqid(time()));
$tmpFile = new \GO\Base\Fs\File(GO::config()->tmpdir.$params['tmp_file']);

chdir($tmpFolder->path());
exec(GO::config()->cmd_tnef.' -C '.$tmpFolder->path().' '.$tmpFile->path(), $output, $retVar);

// Patched code (after fix)
$tmpFolder = \GO\Base\Fs\Folder::tempFolder(uniqid(time()));
$tmpFile = new \GO\Base\Fs\File(GO::config()->tmpdir.$params['tmp_file']);

chdir($tmpFolder->path());
exec(GO::config()->cmd_tnef.' -C '.escapeshellarg($tmpFolder->path()).' '.escapeshellarg($tmpFile->path()), $output, $retVar);

Source: GitHub Commit Update

Detection Methods for CVE-2026-25512

Indicators of Compromise

Unusual HTTP requests to the email/message/tnefAttachmentFromTempFile endpoint containing shell metacharacters (;, |, `, $())
Web server process spawning unexpected child processes or executing system commands
Anomalous network connections originating from the web server process
Suspicious file system activity in temporary directories or web application paths

Detection Strategies

Monitor web application logs for requests to the TNEF attachment endpoint containing encoded or special characters in the tmp_file parameter
Implement web application firewall (WAF) rules to detect and block command injection patterns in request parameters
Deploy endpoint detection and response (EDR) solutions to identify web server processes executing unexpected shell commands
Configure intrusion detection systems (IDS) to alert on process creation anomalies from PHP or web server processes

Monitoring Recommendations

Enable detailed logging for the Group-Office application, particularly for email-related endpoints
Set up real-time alerting for any requests containing common command injection payloads
Monitor system process trees for web server processes spawning shells or executing system utilities
Review authentication logs to identify potentially compromised accounts being used in attacks

How to Mitigate CVE-2026-25512

Immediate Actions Required

Upgrade Group-Office to patched versions 6.8.150, 25.0.82, or 26.0.5 immediately
Review web server and application logs for evidence of exploitation attempts
Audit user accounts with access to the email functionality for signs of compromise
Consider temporarily disabling TNEF attachment processing if immediate patching is not possible

Patch Information

Intermesh has released security patches addressing this vulnerability. Organizations should update to the following versions:

Version 6.8.150 for the 6.x branch
Version 25.0.82 for the 25.x branch
Version 26.0.5 for the 26.x branch

The patch applies proper escaping using escapeshellarg() to sanitize user input before passing it to shell commands. For detailed technical information, refer to the GitHub Security Advisory GHSA-579w and the security commit.

Workarounds

Implement WAF rules to block requests containing shell metacharacters in the tmp_file parameter
Restrict network access to Group-Office to trusted IP ranges only
Disable the TNEF attachment handling functionality if not required for business operations
Apply principle of least privilege to the web server process to limit impact of successful exploitation

bash

# Example WAF rule (ModSecurity format) to block command injection attempts
SecRule ARGS:tmp_file "@rx [;|`$\(\)]" \
    "id:1001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'Potential command injection attempt in tmp_file parameter'"

CVE-2026-25512 Overview

Critical Impact
Authenticated attackers can execute arbitrary system commands on the server, potentially leading to complete system compromise, data exfiltration, lateral movement, and persistent access to the affected infrastructure.

Affected Products

Group-Office versions prior to 6.8.150
Group-Office versions prior to 25.0.82
Group-Office versions prior to 26.0.5

Discovery Timeline

2026-02-04 - CVE CVE-2026-25512 published to NVD
2026-02-05 - Last updated in NVD database

Technical Details for CVE-2026-25512

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires network access and valid authentication credentials. An authenticated attacker can exploit this vulnerability by:

Authenticating to the Group-Office application
Crafting a malicious request to the email/message/tnefAttachmentFromTempFile endpoint
Injecting shell metacharacters into the tmp_file parameter
Achieving arbitrary command execution on the underlying server

php

// Vulnerable code (before patch)
$tmpFolder = \GO\Base\Fs\Folder::tempFolder(uniqid(time()));
$tmpFile = new \GO\Base\Fs\File(GO::config()->tmpdir.$params['tmp_file']);

chdir($tmpFolder->path());
exec(GO::config()->cmd_tnef.' -C '.$tmpFolder->path().' '.$tmpFile->path(), $output, $retVar);

// Patched code (after fix)
$tmpFolder = \GO\Base\Fs\Folder::tempFolder(uniqid(time()));
$tmpFile = new \GO\Base\Fs\File(GO::config()->tmpdir.$params['tmp_file']);

chdir($tmpFolder->path());
exec(GO::config()->cmd_tnef.' -C '.escapeshellarg($tmpFolder->path()).' '.escapeshellarg($tmpFile->path()), $output, $retVar);

Source: GitHub Commit Update

Detection Methods for CVE-2026-25512

Indicators of Compromise

Unusual HTTP requests to the email/message/tnefAttachmentFromTempFile endpoint containing shell metacharacters (;, |, `, $())
Web server process spawning unexpected child processes or executing system commands
Anomalous network connections originating from the web server process
Suspicious file system activity in temporary directories or web application paths

Detection Strategies

Monitor web application logs for requests to the TNEF attachment endpoint containing encoded or special characters in the tmp_file parameter
Implement web application firewall (WAF) rules to detect and block command injection patterns in request parameters
Deploy endpoint detection and response (EDR) solutions to identify web server processes executing unexpected shell commands
Configure intrusion detection systems (IDS) to alert on process creation anomalies from PHP or web server processes

Monitoring Recommendations

Enable detailed logging for the Group-Office application, particularly for email-related endpoints
Set up real-time alerting for any requests containing common command injection payloads
Monitor system process trees for web server processes spawning shells or executing system utilities
Review authentication logs to identify potentially compromised accounts being used in attacks

How to Mitigate CVE-2026-25512

Immediate Actions Required

Upgrade Group-Office to patched versions 6.8.150, 25.0.82, or 26.0.5 immediately
Review web server and application logs for evidence of exploitation attempts
Audit user accounts with access to the email functionality for signs of compromise
Consider temporarily disabling TNEF attachment processing if immediate patching is not possible

Patch Information

Intermesh has released security patches addressing this vulnerability. Organizations should update to the following versions:

Version 6.8.150 for the 6.x branch
Version 25.0.82 for the 25.x branch
Version 26.0.5 for the 26.x branch

Workarounds

Implement WAF rules to block requests containing shell metacharacters in the tmp_file parameter
Restrict network access to Group-Office to trusted IP ranges only
Disable the TNEF attachment handling functionality if not required for business operations
Apply principle of least privilege to the web server process to limit impact of successful exploitation

bash

# Example WAF rule (ModSecurity format) to block command injection attempts
SecRule ARGS:tmp_file "@rx [;|`$\(\)]" \
    "id:1001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'Potential command injection attempt in tmp_file parameter'"

CVE-2026-25512: Group-Office RCE Vulnerability

CVE-2026-25512 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-25512

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-25512

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-25512

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-25512: Group-Office RCE Vulnerability

CVE-2026-25512 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-25512

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-25512

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-25512

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform