CVE-2026-3422
Published: 02 March 2026
Summary
CVE-2026-3422 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Edetw U-Office Force. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3422 is an insecure deserialization vulnerability (CWE-502) affecting U-Office Force, a software product developed by e-Excellence. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue enables unauthenticated remote attackers to execute arbitrary code on the server through the transmission of maliciously crafted serialized content.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability by allowing arbitrary code execution on the targeted server.
Advisories from TWCERT/CC provide further details on this vulnerability, available at https://www.twcert.org.tw/en/cp-139-10743-9a952-2.html and https://www.twcert.org.tw/tw/cp-132-10742-45b13-1.html.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9149
Vulnerability details
U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization vulnerability enables unauthenticated remote attackers to execute arbitrary code on a public-facing server application, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly patches the insecure deserialization vulnerability, preventing arbitrary code execution from malicious serialized content.
Information input validation rejects or sanitizes maliciously crafted serialized content before deserialization, blocking the root cause of the vulnerability.
Memory protection mechanisms like DEP and ASLR mitigate arbitrary code execution resulting from successful deserialization exploits.