CVE-2025-63406: GroupOffice Remote Code Execution Vulnerability - Product: GroupOffice - Affected Component: Custom Field Function Field Type - Vulnerability Type: Remote Code Execution (RCE) - Severity: Critical (CVSS 3.1: 9.1) - Authentication Required: Yes (with permission) Technical Description - The vulnerability exists in the class located at . - The method uses PHP's function to execute user-controlled input without proper sanitization. Proof of Concept - Step 1: Create a FieldSet - Step 2: Create Malicious FunctionField - Step 3: Trigger Code Execution - Expected Result: The server executes the command, demonstrating successful code execution. Impact Assessment - Complete Server Compromise - Data Exfiltration - Lateral Movement - Service Disruption - Privilege Escalation Affected Versions - GroupOffice installations that include the custom fields functionality. Prerequisites for Exploitation - Valid authentication to GroupOffice - User account with permission - Access to entities that support custom fields. Mitigation Recommendations - Disable FunctionField Type - Review Permissions - Monitor Logs - Remove usage - Implement strict validation for function field expressions - Use sandboxed parser library for mathematical expressions Proposed Fix - Replace with a safe mathematical expression evaluator. Timeline - Discovery Date: 2025-08-28 - Vendor Notification: 2025-08-29 - Fix Released: Fixed in 25.0.47 and 6.8.136 Credit - Discovered by: Noah "nxvh" Heraud - Contact: heraud260@gmail.com Responsible Disclosure - Acknowledgment within 5 business days - Regular updates on remediation progress - Credit in security advisories - Coordination on public disclosure timing References - GroupOffice Official Website - OWASP Code Injection Prevention - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')