CVE-2026-3422
Published: 02 March 2026
Description
U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content.
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly patches the insecure deserialization vulnerability, preventing arbitrary code execution from malicious serialized content.
Information input validation rejects or sanitizes maliciously crafted serialized content before deserialization, blocking the root cause of the vulnerability.
Memory protection mechanisms like DEP and ASLR mitigate arbitrary code execution resulting from successful deserialization exploits.
Security SummaryAI
CVE-2026-3422 is an insecure deserialization vulnerability (CWE-502) affecting U-Office Force, a software product developed by e-Excellence. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue enables unauthenticated remote attackers to execute arbitrary code on the server through the transmission of maliciously crafted serialized content.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability by allowing arbitrary code execution on the targeted server.
Advisories from TWCERT/CC provide further details on this vulnerability, available at https://www.twcert.org.tw/en/cp-139-10743-9a952-2.html and https://www.twcert.org.tw/tw/cp-132-10742-45b13-1.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization vulnerability enables unauthenticated remote attackers to execute arbitrary code on a public-facing server application, directly facilitating T1190: Exploit Public-Facing Application.