CVE-2026-25512

Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler

Assigner: GitHub_M
Reserved: 02.02.2026 Published: 04.02.2026 Updated: 04.02.2026

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Intermesh
Product	groupoffice
Versions	Version < 6.8.150 is affected Version < 25.0.82 is affected Version < 26.0.5 is affected

Vendor

Intermesh

Product

groupoffice

Versions

Version < 6.8.150 is affected
Version < 25.0.82 is affected
Version < 26.0.5 is affected

References

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE

CVE-2026-25512 PUBLISHED

Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler

Metrics

Product Status

References

Problem Types