Group-Office Deserialization Bug Enables Server Takeover (CVSS 9.9)

A critical insecure deserialization vulnerability in Group-Office allows authenticated attackers to execute arbitrary code on the server. CVE-2026-34838 carries a CVSS score of 9.9—just shy of the maximum—and affects all versions prior to the April 2 patches.

Group-Office is an open-source enterprise CRM and groupware solution used for contact management, project tracking, email, calendaring, and document storage. Organizations running self-hosted deployments should update immediately.

The Deserialization Primitive

The vulnerability exists in the AbstractSettingsCollection model, which handles user and system configuration data. When loading settings, the application deserializes stored values without validating their contents.

An attacker with a valid user account can inject a serialized FileCookieJar object into a setting string. PHP's native deserialization process instantiates the object and triggers its destructor, which writes attacker-controlled content to an arbitrary file path on the server. This arbitrary file write primitive translates directly to remote code execution—the attacker simply writes a PHP webshell to the web root.

The attack sequence breaks down to:

1. Authenticate to Group-Office with any valid user account
2. Modify a setting value to contain a malicious serialized payload
3. Trigger settings load to deserialize the payload
4. The FileCookieJar destructor writes a webshell
5. Access the webshell for arbitrary command execution

The low privilege requirement is why this scores 9.9 despite requiring authentication. Any user account—even a basic employee with limited CRM access—can escalate to full server compromise.

Why Deserialization Bugs Keep Appearing

PHP applications remain plagued by insecure deserialization because the language's unserialize() function is inherently dangerous with untrusted input. Modern PHP frameworks provide safe alternatives, but legacy code and applications like Group-Office often serialize objects directly for storage convenience.

This pattern mirrors vulnerabilities in other enterprise applications. The PraisonAI sandbox bypass last week scored a perfect 10.0 through a similar code execution path, and AI agent frameworks have seen a wave of critical RCE flaws this quarter.

Deserialization attacks are well-understood and easily weaponized. Public gadget chains exist for most PHP applications, meaning an attacker only needs to identify the deserialization sink—the specific code path where untrusted data reaches unserialize().

Patched Versions

Group-Office released fixes on April 2, 2026 in the following versions:

• 6.8.156 (6.8 branch)
• 25.0.90 (25.x branch)
• 26.0.12 (26.x branch)

Organizations should identify their current branch and upgrade to the corresponding patched release. The fix validates setting values before deserialization, blocking the injection of malicious objects.

Self-Hosted CRM Security

Group-Office deployments often contain years of accumulated business data: customer contacts, email archives, internal documents, and project records. A compromised server exposes all of it.

Beyond data theft, attackers gaining shell access to a CRM server sit inside the corporate network with legitimate-looking traffic. The server likely has database access, email connectivity, and network visibility that make it useful for lateral movement. We covered similar pivot scenarios in the Hims & Hers breach where attackers moved from customer service platforms to broader infrastructure.

Organizations running self-hosted groupware should audit their deployments and ensure patch management processes cover these applications. Unlike cloud services that update automatically, self-hosted software requires proactive maintenance.

Detection Guidance

Administrators can check for exploitation by reviewing web server logs for unusual POST requests to settings endpoints. The payload injection appears in HTTP request bodies, so verbose logging helps identify compromise attempts.

Monitor the web root directory for unexpected PHP files. The arbitrary write primitive targets the web-accessible directory structure, so file integrity monitoring can catch webshell deployment.

If you identify evidence of exploitation, assume full server compromise. The attacker had arbitrary code execution—anything on that system should be considered accessed.

For more on protecting business applications, see our online safety tips guide.