CVE-2026-25512

EUVD-2026-5349

04.02.2026, 21:16

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 32%

Affected Products (NVD)

Vendor	Product	Version
group-office	group_office	𝑥 < 6.8.150
group-office	group_office	25.0.1 ≤ 𝑥 < 25.0.82
group-office	group_office	26.0.1 ≤ 𝑥 < 26.0.5

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4