Platform
php
Component
groupoffice
Fixed in
6.8.157
25.0.91
26.0.13
CVE-2026-34838 is a critical Remote Code Execution (RCE) vulnerability affecting Group-Office. This flaw stems from insecure deserialization within the AbstractSettingsCollection model, allowing an authenticated attacker to inject a serialized FileCookieJar object. Successful exploitation leads to arbitrary file write, ultimately resulting in RCE on the server. This impacts Group-Office versions less than or equal to 26.0.12. The vulnerability is patched in versions 6.8.156, 25.0.90, and 26.0.12.
CVE-2023-34838 in Group-Office, an enterprise customer relationship management (CRM) and groupware tool, presents a critical Remote Code Execution (RCE) risk. The flaw lies within the AbstractSettingsCollection model, where insecure deserialization of settings can be exploited. An authenticated attacker can inject a serialized FileCookieJar object into a setting string, allowing them to write files arbitrarily on the server. This could result in complete system compromise, sensitive data exfiltration, or denial of service. Affected versions are those prior to 6.8.156, 25.0.90, and 26.0.12. The CVSS severity score is 10.0, indicating a critical impact.
Exploitation of this vulnerability requires the attacker to be authenticated within the Group-Office system. The attacker must be able to modify or inject data into the system’s configuration. The serialized FileCookieJar object injection is performed through manipulation of a setting string. Once the compromised configuration is loaded, the FileCookieJar object is deserialized, allowing the attacker to write files to arbitrary locations on the server. The success of exploitation depends on the server configuration and the authenticated user’s permissions.
Exploit Status
EPSS
0.51% (66% percentile)
CISA SSVC
CVSS Vector
The most effective solution is to upgrade Group-Office to version 6.8.156, 25.0.90, or 26.0.12. These versions include the fix for the insecure deserialization vulnerability. If immediate upgrade is not possible, implement temporary mitigation measures such as restricting access to Group-Office configuration only to authorized users and actively monitoring system logs for suspicious activity. Review security policies and ensure users follow best practices to prevent the introduction of malicious code. A comprehensive security audit is recommended after applying the update.
Update Group-Office to versions 6.8.156, 25.0.90, or 26.0.12, or a later version. This corrects the insecure deserialization vulnerability in AbstractSettingsCollection that allows remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
Insecure deserialization occurs when a system converts serialized data into objects without proper validation, allowing an attacker to inject malicious code.
Check the version of Group-Office you are using. If it is prior to 6.8.156, 25.0.90, or 26.0.12, it is vulnerable.
Implement temporary mitigation measures, such as restricting configuration access and monitoring system logs.
Currently, there are no specific tools to detect this vulnerability, but regular security audits are recommended.
You can find more information on Group-Office security resources and vulnerability databases like NIST NVD.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.