CVE-2026-25512
HIGH WAF: High
CVSS 8.8
Published: 2026-02-04
CWE-78
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| group-office | group_office | up to 6.8.150 |
| group-office | group_office | 25.0.1 - 25.0.82 |
| group-office | group_office | 26.0.1 - 26.0.5 |
References
- github.com (Patch)
- github.com (Exploit, Vendor Advisory)