Description
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
Published: 2026-02-27
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Group-Office, an enterprise customer relationship management and groupware system, contains an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The flaw allows an authenticated attacker to upload a winmail.dat file that, when processed, extracts attacker‑controlled filenames and then invokes the zip utility with a shell wildcard. Because the filenames are not validated, they are interpreted as zip options, enabling the attacker to supply arbitrary shell commands and execute them with the privileges of the web server process. The weakness is a file–upload restriction issue (CWE‑434) combined with shell expansion abuse (CWE‑88).

Affected Systems

The vulnerability affects Intermesh Group-Office installations running versions earlier than 26.0.9, 25.0.87, or 6.8.154. Upgrading to any of those release numbers or later removes the flaw.

Risk and Exploitability

The CVSS score of 9.4 classifies this as critical, and the documented exploitation requires authenticated access, meaning the attacker must first obtain valid credentials or leverage an existing user session. The EPSS score of less than 1% indicates that exploitation is rare at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the high severity rating and the ability to execute arbitrary commands represent a significant threat to confidentiality, integrity, and availability for any affected system. Remediation through an upgrade is the only confirmed mitigation.

Generated by OpenCVE AI on April 16, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied upgrade to version 26.0.9, 25.0.87, or 6.8.154 to remove the vulnerable code
  • After upgrading, verify that the TNEF processing path no longer invokes zip with unvalidated filenames; if still present, re‑configure the system to sanitize or reject winmail.dat attachments so that filenames cannot be interpreted as shell options
  • Continuously monitor upload logs for suspicious winmail.dat activity and any failed or abnormal zip executions, and enforce strict file‑name validation to prevent future exploitation attempts

Generated by OpenCVE AI on April 16, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Intermesh
Intermesh group-office
Vendors & Products Intermesh
Intermesh group-office

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
Title Group-Office Vulnerable to Remote Code Execution (RCE)
Weaknesses CWE-434
CWE-88
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Intermesh Group-office
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T20:24:32.730Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27947

cve-icon Vulnrichment

Updated: 2026-03-03T20:24:27.720Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:40.513

Modified: 2026-03-04T16:07:30.840

Link: CVE-2026-27947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses