CVE-2026-25511 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, discovered in Intermesh's Group-Office enterprise CRM and groupware tool. The vulnerability exists in versions prior to 6.8.150, 25.0.82, and 26.0.5. It allows an authenticated user with System Administrator privileges to exploit the WOPI service discovery URL to send crafted requests from the server to internal network hosts and ports that are normally inaccessible externally. The SSRF can be leveraged to access sensitive internal services, potentially bypassing network segmentation and firewall rules. Additionally, the SSRF response body can be exfiltrated through the built-in debug system, effectively turning a blind SSRF into a visible one, which significantly increases the attacker's ability to gather information. This visibility also enables full server-side file read capabilities, which can lead to disclosure of sensitive files and credentials stored on the server. The vulnerability requires no user interaction beyond authentication and has a CVSS 4.0 score of 8.2, reflecting high impact on confidentiality and integrity with low attack complexity. The flaw has been addressed in the specified patched versions. No public exploits have been reported yet, but the potential for severe impact exists if exploited. The vulnerability highlights the risks of SSRF in administrative interfaces and the importance of strict access controls and input validation in enterprise collaboration software.

For European organizations, the impact of CVE-2026-25511 can be significant. Exploitation allows attackers with System Administrator credentials to bypass internal network protections and access sensitive internal services and data, potentially leading to data breaches, lateral movement, and compromise of critical infrastructure. The ability to read server-side files can expose configuration files, credentials, and other sensitive information, increasing the risk of further exploitation. Organizations relying on Group-Office for CRM and groupware functions may face operational disruptions and data confidentiality breaches. Given the high CVSS score and the administrative level required, the threat is particularly concerning for enterprises with complex internal networks and valuable internal resources. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially if credentials are compromised or insider threats exist.

1. Immediately upgrade Group-Office installations to versions 6.8.150, 25.0.82, or 26.0.5 or later to apply the official patches addressing this SSRF vulnerability. 2. Restrict System Administrator group membership strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Disable or restrict access to the WOPI service discovery URL if it is not required for business operations. 4. Implement network segmentation and firewall rules to limit the server's ability to make arbitrary outbound requests to internal hosts and ports, reducing the SSRF attack surface. 5. Monitor logs and debug outputs for unusual or unexpected requests that may indicate SSRF exploitation attempts. 6. Conduct regular security audits and penetration testing focusing on SSRF and internal service exposure. 7. Educate administrators on the risks of SSRF and the importance of applying security patches promptly.