CVE-2026-25134 is a critical vulnerability in Intermesh Group-Office, an enterprise CRM and groupware platform. The vulnerability stems from improper neutralization of argument delimiters (CWE-88) in the MaintenanceController's zipLanguage action, which accepts a lang parameter and passes it unsanitized to a system-level zip command via exec(). This design flaw allows attackers to inject malicious command arguments, leading to remote code execution (RCE). Exploitation requires uploading a specially crafted zip file and manipulating the lang parameter to execute arbitrary system commands. The vulnerability affects multiple version branches: all versions prior to 6.8.150, versions from 25.0.0 up to but not including 25.0.82, and versions from 26.0.0 up to but not including 26.0.5. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates network attack vector, low complexity, no authentication required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the vulnerability's characteristics make it a prime target for attackers seeking to compromise enterprise environments. The flaw is fixed in versions 6.8.150, 25.0.82, and 26.0.5. Given Group-Office's role in managing sensitive customer and collaboration data, successful exploitation could lead to full system compromise, data theft, or disruption of business operations.

For European organizations, the impact of CVE-2026-25134 is substantial. Group-Office is widely used in enterprise environments for CRM and groupware functions, often handling sensitive customer data and internal communications. A successful remote code execution attack could allow adversaries to gain full control over affected servers, leading to data breaches, unauthorized data manipulation, or service disruptions. This could result in financial losses, reputational damage, and regulatory penalties under GDPR due to compromised personal data. The vulnerability's network-exploitable nature and lack of required user interaction increase the risk of automated or targeted attacks. Organizations in sectors such as finance, healthcare, and government, which rely heavily on CRM and collaboration tools, are particularly vulnerable. Additionally, the ability to execute arbitrary commands could facilitate lateral movement within networks, escalating the threat beyond the initially compromised system.

To mitigate this vulnerability, organizations should immediately upgrade Group-Office installations to versions 6.8.150, 25.0.82, or 26.0.5 or later. If immediate patching is not feasible, restrict network access to the MaintenanceController endpoints, especially the zipLanguage action, using firewalls or web application firewalls (WAFs). Implement strict input validation and sanitization on parameters passed to system commands, and consider disabling or limiting the use of the zipLanguage functionality if not essential. Monitor logs for unusual zip file uploads or suspicious command execution attempts. Employ intrusion detection systems (IDS) to detect anomalous behavior indicative of exploitation attempts. Regularly audit and review user privileges to ensure that only authorized personnel have access to maintenance functions. Finally, maintain comprehensive backups and incident response plans to recover quickly in case of compromise.