Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25512 is a critical remote code execution (RCE) vulnerability in Group-Office, a PHP-based enterprise customer relationship management and groupware tool. The vulnerability exists in the email/message/tnefAttachmentFromTempFile endpoint, where the user-controlled parameter tmp_file is directly concatenated into an exec() shell command without any escaping or validation.'}, {'type': 'paragraph', 'content': "This improper handling allows an authenticated attacker to inject shell metacharacters into the tmp_file parameter, enabling arbitrary system command execution on the server with the web server's privileges."}, {'type': 'paragraph', 'content': 'Exploitation requires a valid authenticated session and a valid CSRF security token. The issue arises from unsafe concatenation of user input into shell commands, specifically in the method actionTnefAttachmentFromTempFile in the MessageController.php file.'}, {'type': 'paragraph', 'content': 'The vulnerability has been patched in Group-Office versions 6.8.150, 25.0.82, and 26.0.5 by properly escaping shell arguments before passing them to exec().'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts on the affected system's confidentiality, integrity, and availability."}, {'type': 'list_item', 'content': 'Confidentiality: An attacker can read sensitive files and environment data on the server.'}, {'type': 'list_item', 'content': 'Integrity: An attacker can modify or delete server files, potentially altering data or configurations.'}, {'type': 'list_item', 'content': 'Availability: An attacker can disrupt services or delete critical data, causing denial of service.'}, {'type': 'paragraph', 'content': "Because the attacker can execute arbitrary system commands with the web server's privileges, the system can be fully compromised."}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the unsafe handling of the tmp_file parameter in the email/message/tnefAttachmentFromTempFile endpoint. An authenticated user with a valid CSRF token can inject shell metacharacters into the tmp_file parameter to execute arbitrary commands.

A practical detection method involves using curl commands to authenticate and then send a crafted request that injects a command via the tmp_file parameter. For example, injecting a command that writes output to a file (e.g., rce.txt) and then retrieving that file from the ZIP response can confirm the vulnerability.

Example commands include:

• Use curl to login and obtain a session cookie and CSRF token.
• Send a curl request to the vulnerable endpoint with the tmp_file parameter containing shell metacharacters to execute a command like `id > rce.txt`.
• Download and extract the ZIP response to check for the presence and content of rce.txt, confirming command execution.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Group-Office to a patched version where this vulnerability is fixed. The patched versions are 6.8.150, 25.0.82, and 26.0.5.

The underlying fix involves sanitizing the tmp_file and temporary folder path parameters by applying the escapeshellarg() function before passing them to the exec() call. This prevents command injection by escaping any special shell characters.

Until the upgrade can be applied, restrict access to the vulnerable endpoint to trusted authenticated users only, and monitor for suspicious activity involving the tmp_file parameter.

Useful 0 Not Useful 0