CVE-2025-63406

HIGH

GroupOffice < 25.0.47 and 6.8.136 - FunctionField eval Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-63406. PoCs published by Nxvh1337, WinDyAlphA, richard-natan.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-63406, demonstrating remote command execution (RCE) in GroupOffice via crafted API requests to create a malicious FunctionField that executes system commands.

Description

An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi() and eval() in the FunctionField.php

Exploits (4)

nomisec WORKING POC 4 stars
by Nxvh1337 · poc
https://github.com/Nxvh1337/CVE-2025-63406-PoC

This repository contains a functional exploit for CVE-2025-63406, demonstrating remote command execution (RCE) in GroupOffice via crafted API requests to create a malicious FunctionField that executes system commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GroupOffice
Auth required
Prerequisites: valid credentials · access to GroupOffice API endpoints
devstral-2 · analyzed Mar 07, 2026 Full analysis →
nomisec WORKING POC 4 stars
by WinDyAlphA · poc
https://github.com/WinDyAlphA/CVE-2025-63406-PoC

This PoC exploits CVE-2025-63406 in GroupOffice by creating a custom field with a malicious function that executes arbitrary system commands. The exploit chains authentication, field creation, and data extraction to demonstrate RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GroupOffice
Auth required
Prerequisites: Valid credentials for GroupOffice · Access to the target's API endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by richard-natan · poc
https://github.com/richard-natan/PoC-CVE-2025-63406

This is a functional PoC exploit for CVE-2025-63406, targeting GroupOffice. It demonstrates authenticated remote code execution (RCE) by creating a malicious FieldSet and executing arbitrary commands via a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GroupOffice (version not specified)
Auth required
Prerequisites: Valid credentials for GroupOffice · Network access to the target · JMAP API endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-63406

This repository contains a functional exploit for CVE-2025-63406, targeting GroupOffice. The exploit leverages a vulnerability in the FieldSet and Field creation API endpoints to achieve remote code execution (RCE) by injecting a system command into a FunctionField.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GroupOffice
Auth required
Prerequisites: valid credentials for GroupOffice · access to the API endpoints
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0065
EPSS Percentile 46.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (1)
group-office/group_office < 6.8.136
Published Nov 13, 2025
Tracked Since Feb 18, 2026