CVE-2026-25134
Command Injection in Group-Office MaintenanceController Enables RCE
Publication date: 2026-02-02
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| group-office | group_office | to 6.8.150 (exc) |
| group-office | group_office | From 25.0.1 (inc) to 25.0.82 (exc) |
| group-office | group_office | From 26.0.1 (inc) to 26.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Group-Office's MaintenanceController where the zipLanguage action takes a lang parameter and passes it directly to a system zip command via exec(). An attacker can exploit this by uploading a specially crafted zip file combined with this parameter to execute arbitrary code remotely on the server. This allows the attacker to run commands on the system without authorization.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the affected system, allowing an attacker to gain unauthorized control over the server running Group-Office. This can result in data theft, data loss, service disruption, or further compromise of the network and systems.
What immediate steps should I take to mitigate this vulnerability?
Update Group-Office to version 6.8.150, 25.0.82, or 26.0.5 or later, as these versions contain the fix for the vulnerability in the MaintenanceController's zipLanguage action that allows remote code execution.