Group-Office enterprise CRM and groupware contains a critical insecure deserialization vulnerability that allows authenticated users to execute arbitrary code on the underlying server.

This vulnerability exists within the AbstractSettingsCollection model where improper handling of serialized data occurs. An authenticated attacker can inject a malicious FileCookieJar object into a setting string, triggering an arbitrary file write that facilitates Remote Code Execution (RCE).

A successful exploit of this vulnerability grants an attacker the ability to execute arbitrary commands with the privileges of the web server. This could lead to a complete compromise of the CRM database, unauthorized access to sensitive customer relationship data, and total system downtime. Given the CVSS score of 9.9, the risk to confidentiality, integrity, and availability is considered critical.

Immediate Action: Administrators must immediately update Group-Office to version 6.8.156, 25.0.90, or 26.0.12 to patch the insecure deserialization flaw.

Proactive Monitoring: Security teams should monitor system logs for unusual file write activities and inspect the AbstractSettingsCollection entries for unexpected serialized objects or "FileCookieJar" references.

Compensating Controls: Implementing strict egress filtering and utilizing an endpoint detection and response (EDR) solution can help detect and block post-exploitation activities such as web shell deployment.

Public Exploit Available: No

The severity of this vulnerability cannot be overstated, as it allows a standard authenticated user to gain full control over the enterprise CRM environment. Organizations using Group-Office must prioritize this update above routine maintenance. Immediate patching to the specified versions is the only effective way to mitigate this risk.