Description
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x
Scores
CVSS v3
8.8
EPSS
0.0073
EPSS Percentile
49.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-88
CWE-434
Status
published
Products (1)
intermesh/group-office
< 6.8.154
Published
Feb 27, 2026
Tracked Since
Feb 28, 2026