CVE-2026-27947

High

Published: 27 February 2026

Published

27 February 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then…

invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific flaw in TNEF attachment processing that enables RCE via crafted filenames interpreted as zip options.

SI-10 Information Input Validation good match

prevent

Mandates validation of attacker-controlled filenames extracted from winmail.dat attachments to prevent their interpretation as shell command options leading to arbitrary execution.

SI-9 Information Input Restrictions good match

prevent

Restricts processing of dangerous attachment types like winmail.dat, directly mitigating unrestricted upload of files with exploitable content.

Security SummaryAI

Group-Office, an enterprise customer relationship management and groupware tool, is affected by CVE-2026-27947, an authenticated remote code execution vulnerability in versions prior to 26.0.9, 25.0.87, and 6.8.154. The flaw exists in the TNEF attachment processing flow, where attacker-controlled files are extracted from winmail.dat attachments, followed by invocation of the zip command using a shell wildcard (*). Attacker-controlled filenames can be crafted to be interpreted as zip options, enabling arbitrary command execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 88 (Improper Neutralization of Argument Delimiters in a Command) and 434 (Unrestricted Upload of File with Dangerous Type).

An authenticated attacker with low privileges can exploit this remotely with low complexity and no user interaction required. By uploading or processing a malicious winmail.dat attachment, the attacker controls the extracted filenames, which manipulate the subsequent zip command to execute arbitrary system commands on the server, achieving high confidentiality, integrity, and availability impacts.

The GitHub Security Advisory at https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x documents the issue, confirming that versions 26.0.9, 25.0.87, and 6.8.154 address the vulnerability. Security practitioners should prioritize upgrading affected Group-Office instances to these patched releases for mitigation.

Details

CWE(s): CWE-88 CWE-434

Affected Products

intermesh

group-office

≤ 6.8.154 · 25.0.1 — 25.0.87 · 26.0.1 — 26.0.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing web application (T1190) for authenticated RCE via malicious winmail.dat attachment processing, directly facilitating Unix Shell command execution (T1059.004) through shell wildcard manipulation in zip command.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x
Vendor Advisory · security-advisories@github.com