CVE-2026-25511 is a Server-Side Request Forgery (SSRF) vulnerability identified in Intermesh's Group-Office, an enterprise CRM and groupware tool. The flaw exists in the WOPI (Web Application Open Platform Interface) service discovery URL component, which, prior to patched versions 6.8.150, 25.0.82, and 26.0.5, allows an authenticated user with System Administrator privileges to induce the server to make arbitrary HTTP requests to internal or external hosts and ports. This SSRF can be leveraged to access internal network resources that are otherwise inaccessible externally, potentially bypassing firewall restrictions. Furthermore, the SSRF response body can be exfiltrated through the application's built-in debug system, effectively turning the SSRF into a visible attack vector. This capability extends the attacker's reach to reading arbitrary files on the server, escalating the impact from mere network reconnaissance to direct data exposure. The vulnerability requires no user interaction beyond authentication and no additional privileges beyond System Administrator group membership. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and high impact on confidentiality (VC:H) without affecting integrity or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability has been addressed in the specified patched versions, and upgrading is strongly recommended.

For European organizations, this vulnerability poses significant risks, particularly for enterprises relying on Group-Office for CRM and collaboration. Exploitation can lead to unauthorized internal network scanning and access, potentially exposing sensitive internal services and data repositories. The ability to read server-side files can result in leakage of confidential information, including credentials, configuration files, or personal data protected under GDPR. This could lead to regulatory penalties, reputational damage, and operational disruptions. Since the vulnerability requires System Administrator authentication, insider threats or compromised administrator accounts are primary risk vectors. However, given that many organizations use Group-Office in critical business functions, the impact of a successful exploit could be severe, including lateral movement within networks and data exfiltration. The high CVSS score reflects the critical nature of confidentiality breaches and the ease of exploitation once authenticated.

European organizations should immediately verify their Group-Office versions and upgrade to 6.8.150, 25.0.82, or 26.0.5 or later to remediate this vulnerability. Beyond patching, organizations should enforce strict access controls and monitoring on System Administrator accounts to prevent unauthorized access. Implement multi-factor authentication (MFA) for all administrative users to reduce the risk of credential compromise. Network segmentation should be employed to limit the Group-Office server's ability to access sensitive internal resources, minimizing the impact of SSRF exploitation. Disable or restrict the built-in debug system or ensure it is not accessible in production environments to prevent exfiltration of SSRF responses. Conduct regular audits of server logs for unusual internal requests originating from Group-Office. Finally, consider deploying web application firewalls (WAFs) with rules to detect and block SSRF patterns targeting internal IP ranges.