CVE-2025-63406 is a critical remote code execution (RCE) vulnerability found in Intermesh BV's GroupOffice software, specifically affecting versions before 25.0.47 and 6.8.136. The vulnerability originates from the unsafe use of the PHP eval() function within the dbToApi() method in the FunctionField.php file. Eval() executes arbitrary PHP code passed to it, and if user input is not properly sanitized, this can allow attackers to inject and execute malicious code remotely. This flaw enables unauthenticated remote attackers to execute arbitrary code on the server hosting GroupOffice, potentially leading to full system compromise. GroupOffice is a groupware and collaboration platform widely used by organizations for email, calendar, file sharing, and project management. The vulnerability does not require authentication or user interaction, increasing its risk. Although no public exploits are known yet, the presence of eval() in a web-facing function makes exploitation straightforward for attackers with network access. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The vulnerability threatens confidentiality, integrity, and availability by allowing attackers to execute arbitrary commands, access sensitive data, or disrupt services. Immediate patching to the fixed versions is essential to prevent exploitation. If patching is delayed, organizations should implement input validation, disable or restrict eval() usage, and monitor logs for suspicious activity related to FunctionField.php. This vulnerability underscores the risks of unsafe dynamic code execution in web applications.

For European organizations, this vulnerability poses a significant threat due to the widespread use of GroupOffice in enterprise collaboration environments. Successful exploitation could lead to full system compromise, data breaches involving sensitive corporate or personal information, disruption of business operations, and potential lateral movement within networks. The ability to execute arbitrary code remotely without authentication increases the risk of automated attacks and wormable exploits. Organizations relying on GroupOffice for critical communication and project management could face operational downtime and reputational damage. Additionally, compromised systems could be used as footholds for further attacks, including ransomware deployment or espionage. Given the critical nature of the vulnerability, European entities in sectors such as finance, government, healthcare, and education that use GroupOffice are particularly at risk. The impact extends beyond individual organizations to potentially affect supply chains and partner networks interconnected via GroupOffice deployments.

1. Immediately upgrade GroupOffice installations to version 25.0.47 or 6.8.136 or later, where the vulnerability is patched. 2. If immediate patching is not feasible, implement strict input validation and sanitization on all inputs processed by the dbToApi() method to prevent injection of malicious code. 3. Disable or refactor any use of the eval() function in FunctionField.php or related code to eliminate dynamic code execution risks. 4. Restrict network access to GroupOffice servers, limiting exposure to trusted internal networks or VPNs to reduce attack surface. 5. Monitor application and system logs for unusual activity, especially any attempts to invoke FunctionField.php or suspicious PHP code execution. 6. Employ web application firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting this vulnerability. 7. Conduct regular security assessments and code reviews focusing on dynamic code execution patterns. 8. Educate IT and security teams about the risks associated with eval() and similar functions to prevent future vulnerabilities.