CVE-2026-25512 is an OS command injection vulnerability classified under CWE-78 affecting Intermesh Group-Office, an enterprise CRM and groupware platform. The vulnerability exists in the email/message/tnefAttachmentFromTempFile endpoint, where the tmp_file parameter is directly concatenated into an exec() system call without proper sanitization or neutralization of shell metacharacters. This improper input handling allows an authenticated attacker to inject arbitrary shell commands, leading to remote code execution on the server hosting Group-Office. The vulnerability affects multiple version branches prior to 6.8.150, 25.0.82, and 26.0.5, indicating a broad impact across different release lines. Exploitation does not require user interaction but does require authentication, which lowers the barrier for attackers who have valid credentials or can compromise accounts. The CVSS 4.0 base score of 9.4 reflects the critical nature of this flaw, with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's characteristics make it a prime target for attackers seeking to gain full control over affected systems. The flaw underscores the importance of secure coding practices, especially input validation and command execution safeguards in web applications handling user-supplied data.

For European organizations, this vulnerability poses a significant threat to the confidentiality, integrity, and availability of sensitive business and customer data managed within Group-Office. Successful exploitation could lead to full system compromise, data theft, unauthorized data manipulation, and disruption of critical collaboration and CRM services. Given Group-Office’s role in managing enterprise communications and customer relationships, an attacker could leverage this access to pivot within networks, escalate privileges, and conduct further attacks such as ransomware deployment or espionage. The requirement for authentication means insider threats or compromised credentials could be leveraged easily. Disruption of Group-Office services could impact business continuity, especially for organizations relying heavily on integrated groupware and CRM functionalities. Additionally, regulatory compliance risks arise under GDPR if personal data is exposed or altered. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands urgent patching and monitoring.

1. Immediately upgrade all Group-Office installations to versions 6.8.150, 25.0.82, or 26.0.5 or later, where the vulnerability is patched. 2. Restrict access to the Group-Office application to trusted users and networks, employing network segmentation and zero-trust principles. 3. Enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce risk from compromised credentials. 4. Conduct thorough input validation and sanitization reviews for all user-supplied parameters, especially those passed to system commands. 5. Implement application-level monitoring and alerting for unusual command execution patterns or unexpected system calls. 6. Regularly audit user accounts and permissions to minimize the number of users with access to vulnerable endpoints. 7. Employ web application firewalls (WAFs) with custom rules to detect and block injection attempts targeting the tmp_file parameter. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 9. Educate administrators and users about the risks of credential compromise and suspicious activity reporting. 10. Monitor threat intelligence feeds for any emerging exploits related to this CVE to respond promptly.