CVE-2026-25512

HIGH NUCLEI

Group-Office < 6.8.150 - Authenticated Remote Code Execution via tmp_file Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-25512. PoCs published by XiaomingX, mbanyamer, NumberOreo1. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction capabilities for admin credentials and password hashes.

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25512

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction capabilities for admin credentials and password hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by mbanyamer · poc
https://github.com/mbanyamer/CVE-2026-25512-PoC-Group-Office-Authenticated-RCE

This is a functional exploit PoC for CVE-2026-25512, demonstrating authenticated remote command execution in Group-Office via command injection in the TNEF attachment handler endpoint. The script authenticates, injects a payload via the 'tmp_file' parameter, and verifies execution by retrieving a proof file from the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Group-Office (Intermesh) < 26.0.4
Auth required
Prerequisites: Valid credentials for Group-Office · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by NumberOreo1 · poc
https://github.com/NumberOreo1/CVE-2026-25512

This repository contains a functional proof-of-concept exploit for CVE-2026-25512, a command injection vulnerability in Group-Office's TNEF handler. The exploit demonstrates remote code execution by injecting shell metacharacters into the `tmp_file` parameter, which is passed unsanitized to an `exec()` call.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Group-Office ≤ 26.0.4
Auth required
Prerequisites: Valid Group-Office credentials · CSRF security token
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Group-Office < 26.0.5 - Remote Code Execution
CRITICALVERIFIEDby omarkurt
Shodan: title:"Group-Office"
FOFA: title="Group-Office"

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.2261
EPSS Percentile 96.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
group-office/group_office < 6.8.150
Published Feb 04, 2026
Tracked Since Feb 18, 2026