Do Son 
In a significant discovery for enterprises and public sector organizations, a critical security vulnerability has been unmasked in GroupOffice, the popular open-source CRM and groupware suite. The flaw, tracked as CVE-2026-34838, carries a maximum CVSS score of 10.0, highlighting a “complete compromise” risk for servers running the software.
The vulnerability lies within the AbstractSettingsCollection.php model, specifically in how it handles saved system settings. When the application loads these settings, it checks if a string begins with a specific “serialized:” prefix. If found, the system blindly processes the rest of the string using a native PHP function.
As the technical summary details:
“This method automatically retrieves settings for a specific module or component… and, if so, blindly passes the remainder of the string to PHP’s native unserialize() function without any class validation”.
By failing to restrict which “classes” of data can be processed, the application inadvertently allows an attacker to inject malicious objects into the server’s memory.
While the vulnerability requires an attacker to be authenticated, even a low-privileged user can trigger the exploit. An attacker can use a legacy HTTP endpoint to inject a carefully crafted, serialized string into the database.
To achieve Remote Code Execution (RCE), the attacker leverages a “POP chain” involving Guzzle, a common library bundled with GroupOffice. By injecting a FileCookieJar object, the attacker can force the server to write a file to a location of their choosing.
The report explains the final stage of the attack:
“By filling the JAR with a SetCookie object containing PHP tags, it acts as an arbitrary file write primitive holding a web shell payload”.
Once this web shell is written to the filesystem, the attacker gains the ability to execute any command on the underlying server, leading to a total loss of confidentiality, integrity, and availability.
The vulnerability affects GroupOffice version 26.0.11 and earlier. Because this tool is used to manage sensitive data—including emails, files, and calendars—the risk to organizational data is extreme.
Security researchers and the GroupOffice team have released patches to address this critical path. Administrators are urged to update to the following versions immediately:
- 26.0.12
- 25.0.90
- 6.8.156
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
