The vulnerability resides in the MaintenanceController::actionZipLanguage method of Group-Office; it forwards a user-supplied "lang" parameter directly to the operating system's zip command via exec() without validation. This flaw permits an attacker to craft a malicious zip file and supply a tampered "lang" value, thereby injecting arbitrary command-line arguments and achieving remote execution of code on the host. The flaw is classified with a high severity CVSS score of 9.4, indicating a critical risk to confidentiality, integrity, and availability.

The security issue afflicts Intermesh Group-Office versions released before 6.8.150, 25.0.82, and 26.0.5. All installations of the 6.x, 25.x, and 26.x branches that are older than these specific releases remain vulnerable. Updates beyond these versions contain the fix that validates the parameter prior to invoking the zip command.

Exploitation requires access to the web application to invoke the MaintenanceController action and upload a specially crafted zip archive. The EPSS of less than 1% suggests a low observed exploitation rate, yet the CVSS score signals that if an attacker succeeds they can execute arbitrary code with the privileges of the web server. The vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities catalog, but the mechanism and severity warrant immediate attention.