{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25512", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T18:21:42.486Z", "datePublished": "2026-02-04T20:39:08.039Z", "dateUpdated": "2026-02-05T21:03:24.677Z"}, "containers": {"cna": {"title": "Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4"}, {"name": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792", "tags": ["x_refsource_MISC"], "url": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.150", "status": "affected"}, {"version": "< 25.0.82", "status": "affected"}, {"version": "< 26.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T20:39:08.039Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."}], "source": {"advisory": "GHSA-579w-jvg7-frr4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T21:03:20.946470Z", "id": "CVE-2026-25512", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T21:03:24.677Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25512", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-05T21:03:20.946470Z"}}}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T21:03:05.293Z"}}], "cna": {"title": "Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler", "source": {"advisory": "GHSA-579w-jvg7-frr4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"status": "affected", "version": "< 6.8.150"}, {"status": "affected", "version": "< 25.0.82"}, {"status": "affected", "version": "< 26.0.5"}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4", "name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792", "name": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T20:39:08.039Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25512", "state": "PUBLISHED", "dateUpdated": "2026-02-05T21:03:24.677Z", "dateReserved": "2026-02-02T18:21:42.486Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T20:39:08.039Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "97DDA2DE-263C-4AB0-BA43-6AD9D0CAF599", "versionEndExcluding": "6.8.150", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "39BE8337-170B-4895-A5AA-B27AFB64E418", "versionEndExcluding": "25.0.82", "versionStartIncluding": "25.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB489F3F-5EA4-4DFD-9F70-9AD862D7401A", "versionEndExcluding": "26.0.5", "versionStartIncluding": "26.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5."}], "id": "CVE-2026-25512", "lastModified": "2026-02-11T19:15:49.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T21:16:02.390", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:13:07.458797+00:00", "value": {"mitigation_remediation": ["Upgrade Group\u2011Office to version 6.8.150 or later, 25.0.82 or later, or 26.0.5 or later to receive the vendor patch that sanitises input to the TNEF handler.", "If an upgrade is not immediately possible, lock down access to the email/message/tnefAttachmentFromTempFile endpoint, ensuring only the minimum necessary users can invoke it, and use a firewall or application firewall to block execution of shell metacharacters from that endpoint.", "Modify or disable the TNEF attachment processing component so that it does not execute arbitrary commands, or configure it to perform a safe extraction of attachment contents without invoking exec().", "Continuously monitor web and system logs for evidence of command injection attempts, such as the presence of shell metacharacters in tmp_file parameters, and investigate any anomalies promptly."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Intermesh Group\u2011Office versions prior to 6.8.150, 25.0.82, and 26.0.5. Any installation running one of these releases is at risk, regardless of the operating system, provided the email/message/tnefAttachmentFromTempFile endpoint remains accessible.", "description_and_impact": "Group-Office contains a command injection flaw in its TNEF attachment handler, where user-provided input is concatenated directly into an exec() call. An attacker who is authenticated to the application can inject shell metacharacters into the tmp_file parameter, allowing the execution of arbitrary system commands on the web server. This can compromise the entire server, lead to data exfiltration, and provide a foothold for further lateral movement.", "risk_and_exploitability": "With a CVSS base score of 9.4 the flaw is considered critical, and an EPSS score of 23% indicates a moderate likelihood of exploitation in the near term. Because the exploit requires authentication to Group\u2011Office, it is a medium to high risk for organizations that expose the application over the network. The flaw is not listed in the CISA KEV catalog, but given its severity and exploit probability, it should not be ignored."}}}}, "created": "2026-02-05T11:39:22.093712+00:00", "updated": "2026-04-17T23:15:30.811563+00:00", "vendors": ["intermesh", "intermesh$PRODUCT$group-office"]}