CVE-2026-27947 affects Intermesh Group-Office, an enterprise CRM and groupware solution, in versions before 26.0.9, 25.0.87, and 6.8.154. The vulnerability is rooted in improper neutralization of argument delimiters (CWE-88) during the processing of TNEF attachments, specifically winmail.dat files. When Group-Office extracts files from these attachments, it invokes the zip command with a shell wildcard (*) to handle the extracted files. Because the filenames are attacker-controlled and not properly sanitized, they can be interpreted as command-line options by the zip utility. This allows an authenticated attacker to inject arbitrary commands, resulting in remote code execution on the server hosting Group-Office. The vulnerability also relates to CWE-434 (Unrestricted Upload of File with Dangerous Type), as malicious files are uploaded and processed. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and privileges required but no additional authentication tokens. The vulnerability impacts confidentiality, integrity, and availability with high scope and impact. Although no exploits are publicly known, the critical severity and ease of exploitation given authenticated access make this a significant risk. The issue is resolved in the specified patched versions.

This vulnerability allows an authenticated attacker to execute arbitrary commands on the Group-Office server, potentially leading to full system compromise. The attacker could steal sensitive CRM and groupware data, manipulate or delete information, disrupt service availability, or use the compromised server as a pivot point for further network intrusion. Given Group-Office’s role in managing enterprise communications and customer data, exploitation could result in significant data breaches, operational disruption, and reputational damage. The requirement for authentication limits exposure but does not eliminate risk, especially in environments with weak credential management or exposed login interfaces. The high CVSS score reflects the broad impact on confidentiality, integrity, and availability, making this a critical threat for organizations relying on affected versions of Group-Office.

Organizations should immediately upgrade Group-Office to versions 26.0.9, 25.0.87, or 6.8.154 or later to remediate this vulnerability. In addition to patching, administrators should enforce strong authentication policies, including multi-factor authentication, to reduce the risk of attacker access. Restrict access to the Group-Office interface to trusted networks or VPNs where possible. Monitor logs for unusual activity related to TNEF attachment processing or zip command execution. Disable or restrict the use of TNEF attachments if not required. Implement application-level input validation and sanitization for file uploads to prevent malicious filenames. Consider deploying host-based intrusion detection systems to detect anomalous command executions. Regularly audit user accounts and permissions to minimize the number of users with access to vulnerable functionality. Finally, maintain up-to-date backups to recover from potential compromise.