CVE-2026-27947
Published: 27 February 2026
Summary
CVE-2026-27947 is a high-severity Argument Injection (CWE-88) vulnerability in Intermesh Group-Office. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific flaw in TNEF attachment processing that enables RCE via crafted filenames interpreted as zip options.
Mandates validation of attacker-controlled filenames extracted from winmail.dat attachments to prevent their interpretation as shell command options leading to arbitrary execution.
Restricts processing of dangerous attachment types like winmail.dat, directly mitigating unrestricted upload of files with exploitable content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) for authenticated RCE via malicious winmail.dat attachment processing, directly facilitating Unix Shell command execution (T1059.004) through shell wildcard manipulation in zip command.
NVD Description
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.9, 25.0.87, and 6.8.154 have an authenticated Remote Code Execution vulnerability in the TNEF attachment processing flow. The vulnerable path extracts attacker-controlled files from `winmail.dat` and then…
more
invokes `zip` with a shell wildcard (`*`). Because extracted filenames are attacker-controlled, they can be interpreted as `zip` options and lead to arbitrary command execution. Versions 26.0.9, 25.0.87, and 6.8.154 fix the issue.
Deeper analysisAI
Group-Office, an enterprise customer relationship management and groupware tool, is affected by CVE-2026-27947, an authenticated remote code execution vulnerability in versions prior to 26.0.9, 25.0.87, and 6.8.154. The flaw exists in the TNEF attachment processing flow, where attacker-controlled files are extracted from winmail.dat attachments, followed by invocation of the zip command using a shell wildcard (*). Attacker-controlled filenames can be crafted to be interpreted as zip options, enabling arbitrary command execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 88 (Improper Neutralization of Argument Delimiters in a Command) and 434 (Unrestricted Upload of File with Dangerous Type).
An authenticated attacker with low privileges can exploit this remotely with low complexity and no user interaction required. By uploading or processing a malicious winmail.dat attachment, the attacker controls the extracted filenames, which manipulate the subsequent zip command to execute arbitrary system commands on the server, achieving high confidentiality, integrity, and availability impacts.
The GitHub Security Advisory at https://github.com/Intermesh/groupoffice/security/advisories/GHSA-2rwh-9qp7-f92x documents the issue, confirming that versions 26.0.9, 25.0.87, and 6.8.154 address the vulnerability. Security practitioners should prioritize upgrading affected Group-Office instances to these patched releases for mitigation.
Details
- CWE(s)