CVE-2026-27947 Overview
CVE-2026-27947 is a critical authenticated Remote Code Execution (RCE) vulnerability affecting Group-Office, an enterprise customer relationship management and groupware tool developed by Intermesh. The vulnerability exists in the TNEF (Transport Neutral Encapsulation Format) attachment processing flow, specifically in how the application handles winmail.dat files.
The vulnerable code path extracts attacker-controlled files from winmail.dat attachments and subsequently invokes the zip command with a shell wildcard (*). Because extracted filenames are attacker-controlled, they can be crafted to be interpreted as zip command-line options, leading to argument injection and ultimately arbitrary command execution on the underlying system.
Critical Impact
Authenticated attackers can achieve arbitrary command execution on the server by uploading specially crafted TNEF attachments with malicious filenames that exploit argument injection in the zip command processing flow.
Affected Products
- Intermesh Group-Office versions prior to 26.0.9
- Intermesh Group-Office versions prior to 25.0.87
- Intermesh Group-Office versions prior to 6.8.154
Discovery Timeline
- 2026-02-27 - CVE-2026-27947 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-27947
Vulnerability Analysis
This vulnerability is classified as CWE-88: Improper Neutralization of Argument Delimiters in a Command (Argument Injection). The core issue stems from insufficient sanitization of filenames extracted from TNEF-formatted email attachments before those filenames are passed to shell commands.
When Group-Office processes incoming emails with TNEF attachments (winmail.dat files), it extracts the embedded files to a temporary directory. Subsequently, the application invokes the zip utility using a shell wildcard (*) to compress these extracted files. However, because the filenames within the TNEF attachment are controlled by the attacker, malicious filenames can be crafted that are interpreted as command-line arguments rather than file operands.
This attack technique is a well-known variant of argument injection where filenames beginning with dashes (-) or containing special characters can modify the behavior of command-line utilities. In this case, attackers can leverage zip options to write arbitrary files to attacker-controlled locations or execute arbitrary commands.
Root Cause
The root cause is the unsafe handling of user-controlled data (filenames from TNEF attachments) when constructing shell commands. The application fails to properly sanitize or escape filenames before passing them to the zip command via shell wildcard expansion. This allows attackers to inject arbitrary arguments into the zip command by crafting filenames that resemble command-line options.
The vulnerability requires authentication, but once an attacker has valid credentials, they can exploit this flaw by sending or uploading emails containing specially crafted winmail.dat attachments.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the Group-Office application. An attacker would craft a malicious TNEF attachment containing files with specially constructed names. When a user or automated process triggers the TNEF processing workflow, the malicious filenames are extracted and subsequently interpreted as zip command arguments during the compression step.
The attack chain involves:
- Attacker authenticates to Group-Office with valid credentials
- Attacker crafts a winmail.dat TNEF attachment containing files with malicious names (e.g., filenames starting with - that represent zip options)
- The attachment is processed by Group-Office's TNEF handling code
- Files are extracted to a temporary directory with attacker-controlled names
- When zip * is executed in the directory, the malicious filenames are interpreted as command options
- Arbitrary commands execute with the privileges of the web server process
Detection Methods for CVE-2026-27947
Indicators of Compromise
- Unusual winmail.dat or TNEF attachments in email traffic containing filenames with leading dashes or special characters
- Unexpected child processes spawned from the web server process (e.g., zip with unusual arguments)
- Suspicious file creation or modification in temporary directories used by Group-Office
- Web server logs showing email processing followed by unexpected system activity
Detection Strategies
- Monitor process execution for zip commands with suspicious argument patterns originating from web server contexts
- Implement file integrity monitoring on Group-Office installation directories and temporary folders
- Deploy endpoint detection rules to identify argument injection patterns in command-line utilities
- Review email server logs for TNEF attachments with anomalous internal file structures
Monitoring Recommendations
- Enable verbose logging for email attachment processing in Group-Office
- Configure SIEM rules to correlate email ingestion events with subsequent process execution anomalies
- Monitor for unauthorized file writes or command execution from the web application context
- Implement network-level inspection for suspicious TNEF attachment contents
How to Mitigate CVE-2026-27947
Immediate Actions Required
- Upgrade Group-Office to version 26.0.9, 25.0.87, or 6.8.154 or later immediately
- Review authentication logs for any suspicious access patterns that may indicate exploitation attempts
- Audit systems for signs of compromise including unexpected files, processes, or network connections
- Restrict access to Group-Office to trusted networks until patching is complete
Patch Information
Intermesh has released patched versions that address this vulnerability. The fix is available in Group-Office versions 26.0.9, 25.0.87, and 6.8.154. Organizations should update to these versions or later as soon as possible.
For detailed patch information, refer to the GitHub Security Advisory GHSA-2rwh-9qp7-f92x.
Workarounds
- Disable TNEF/winmail.dat attachment processing if the feature is not business-critical
- Implement email filtering to strip or quarantine TNEF attachments at the mail gateway level
- Apply application-level access controls to limit which users can upload or process email attachments
- Deploy web application firewall rules to inspect and block malicious attachment patterns
# Example: Disable TNEF processing at mail gateway (configuration varies by product)
# For Postfix with amavisd-new, add to /etc/amavisd.conf:
# @bypass_decode_parts = qw( .tnef winmail.dat );
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
