CVE-2026-25134 is a critical vulnerability in Intermesh Group-Office, a widely used enterprise CRM and groupware platform. The vulnerability stems from improper neutralization of argument delimiters (CWE-88) in the MaintenanceController component, specifically in the zipLanguage action. This action accepts a 'lang' parameter from user input and passes it unsanitized directly to a system-level zip command executed via PHP's exec() function. This improper handling allows an attacker to inject additional command arguments, leading to remote code execution (RCE) on the underlying server. The attack vector involves uploading a specially crafted zip file combined with manipulation of the 'lang' parameter to execute arbitrary commands. The vulnerability affects multiple version branches: all versions prior to 6.8.150, versions from 25.0.0 up to but not including 25.0.82, and versions from 26.0.0 up to but not including 26.0.5. The CVSS 4.0 base score of 9.4 reflects the critical nature, with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to gain full control over affected systems. The flaw allows attackers to bypass typical security controls by leveraging the application's own functionality to execute arbitrary system commands, potentially leading to data theft, service disruption, or lateral movement within networks. The vulnerability is fixed in versions 6.8.150, 25.0.82, and 26.0.5, where proper input validation and sanitization prevent argument injection. Organizations using vulnerable Group-Office versions should prioritize patching and consider additional controls such as restricting access to the MaintenanceController endpoints and monitoring for suspicious zip file uploads.

For European organizations, this vulnerability poses a severe risk due to the potential for complete system compromise without requiring authentication or user interaction. Exploitation could lead to unauthorized access to sensitive customer data, disruption of business operations, and potential lateral movement within corporate networks. Given Group-Office's role in managing CRM and groupware functions, an attacker could manipulate or exfiltrate critical business information, impacting confidentiality and integrity. The availability of services could also be disrupted by executing destructive commands. The critical CVSS score reflects the high likelihood of exploitation and the broad impact on affected systems. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Group-Office for collaboration and customer management are particularly vulnerable. The absence of known exploits in the wild provides a narrow window for proactive defense, but the ease of exploitation and severity demand immediate attention. Failure to remediate could result in significant operational and reputational damage, regulatory penalties under GDPR for data breaches, and financial losses.

1. Immediately upgrade all affected Group-Office installations to versions 6.8.150, 25.0.82, or 26.0.5 where the vulnerability is patched. 2. Restrict network access to the MaintenanceController endpoints, especially the zipLanguage action, using firewalls or web application firewalls (WAFs) to limit exposure. 3. Implement strict input validation and sanitization at the application layer if upgrading is delayed, to prevent injection of malicious arguments. 4. Monitor logs for unusual zip file uploads or execution of unexpected system commands originating from the Group-Office server. 5. Employ intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. 6. Conduct regular security audits and penetration testing focused on web application components handling file uploads and system command execution. 7. Educate system administrators and users about the risks of uploading untrusted files and the importance of timely patching. 8. Consider isolating Group-Office servers in segmented network zones to limit lateral movement if compromised.