Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Published: 2026-02-04
Score: 9.4 Critical
EPSS: 23.8% Moderate
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

Group-Office contains a command injection flaw in its TNEF attachment handler, where user-provided input is concatenated directly into an exec() call. An attacker who is authenticated to the application can inject shell metacharacters into the tmp_file parameter, allowing the execution of arbitrary system commands on the web server. This can compromise the entire server, lead to data exfiltration, and provide a foothold for further lateral movement.

Affected Systems

The vulnerability affects Intermesh Group‑Office versions prior to 6.8.150, 25.0.82, and 26.0.5. Any installation running one of these releases is at risk, regardless of the operating system, provided the email/message/tnefAttachmentFromTempFile endpoint remains accessible.

Risk and Exploitability

With a CVSS base score of 9.4 the flaw is considered critical, and an EPSS score of 23% indicates a moderate likelihood of exploitation in the near term. Because the exploit requires authentication to Group‑Office, it is a medium to high risk for organizations that expose the application over the network. The flaw is not listed in the CISA KEV catalog, but given its severity and exploit probability, it should not be ignored.

Generated by OpenCVE AI on April 17, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Group‑Office to version 6.8.150 or later, 25.0.82 or later, or 26.0.5 or later to receive the vendor patch that sanitises input to the TNEF handler.
  • If an upgrade is not immediately possible, lock down access to the email/message/tnefAttachmentFromTempFile endpoint, ensuring only the minimum necessary users can invoke it, and use a firewall or application firewall to block execution of shell metacharacters from that endpoint.
  • Modify or disable the TNEF attachment processing component so that it does not execute arbitrary commands, or configure it to perform a safe extraction of attachment contents without invoking exec().
  • Continuously monitor web and system logs for evidence of command injection attempts, such as the presence of shell metacharacters in tmp_file parameters, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 17, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Group-office
Group-office group Office
CPEs cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*
Vendors & Products Group-office
Group-office group Office
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Intermesh
Intermesh group-office
Vendors & Products Intermesh
Intermesh group-office

Wed, 04 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Title Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Group-office Group Office
Intermesh Group-office
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T21:03:24.677Z

Reserved: 2026-02-02T18:21:42.486Z

Link: CVE-2026-25512

cve-icon Vulnrichment

Updated: 2026-02-05T21:03:05.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T21:16:02.390

Modified: 2026-02-11T19:15:49.477

Link: CVE-2026-25512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses