CVE-2026-27947
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
Analysis
Group Office versions before 26.0.9, 25.0.87, and 6.8.154 allow authenticated attackers to execute arbitrary commands through maliciously crafted TNEF attachments, where attacker-controlled filenames in winmail.dat are processed unsafely with zip wildcard expansion. An attacker with valid credentials can exploit this to achieve remote code execution with full system privileges. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Group-Office instances and document current versions; disable TNEF attachment processing if possible or restrict access to trusted users only. Within 7 days: Implement email gateway scanning for TNEF attachments; segment Group-Office systems from critical infrastructure; enforce multi-factor authentication for all users. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today