CVE-2026-27947 is a critical vulnerability affecting Intermesh Group-Office, an enterprise CRM and groupware solution. The issue arises in the handling of TNEF (Transport Neutral Encapsulation Format) attachments, specifically winmail.dat files. When Group-Office processes these attachments, it extracts files whose names are attacker-controlled. Subsequently, the application invokes the 'zip' utility with a shell wildcard ('*') to handle these extracted files. Because the filenames are not properly sanitized, an attacker can craft filenames that are interpreted as command-line options or arguments by the zip command, leading to improper neutralization of argument delimiters (CWE-88). This argument injection allows an authenticated attacker to execute arbitrary commands on the underlying system remotely. The vulnerability requires authentication but no additional user interaction, increasing its risk in environments where attackers can obtain valid credentials. The flaw affects multiple major versions of Group-Office prior to 26.0.9, 25.0.87, and 6.8.154, which have since been patched. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and privileges required, with high impact on confidentiality, integrity, and availability, as well as high scope and security requirements. No public exploits have been reported yet, but the critical nature and ease of exploitation make it a significant threat to organizations using vulnerable versions.

The vulnerability allows authenticated attackers to execute arbitrary commands on Group-Office servers, potentially leading to full system compromise. This can result in unauthorized data access, data manipulation, disruption of services, and lateral movement within the network. Given Group-Office's role as a CRM and groupware platform, sensitive customer and organizational data could be exposed or altered. The remote code execution capability could also be leveraged to deploy ransomware, malware, or establish persistent backdoors. The requirement for authentication limits exposure to some extent but does not eliminate risk, especially in environments with weak credential management or phishing susceptibility. The widespread use of Group-Office in enterprise environments globally means that many organizations could be impacted, particularly those that delay patching or use default configurations. The vulnerability's exploitation could severely affect confidentiality, integrity, and availability of critical business systems and data.

Organizations should immediately upgrade Group-Office to versions 26.0.9, 25.0.87, or 6.8.154 or later, which contain patches for this vulnerability. Until patching is possible, restrict access to Group-Office to trusted users and networks, and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Monitor logs for unusual activity related to TNEF attachment processing and zip command executions. Implement strict input validation and sanitization on file names if customization is possible. Consider disabling TNEF attachment processing if not required. Regularly audit user accounts and permissions to limit the number of users with access to vulnerable functionality. Employ network segmentation and endpoint protection to contain potential breaches. Finally, maintain up-to-date backups and incident response plans to mitigate damage in case of exploitation.