Cyber Posture

CVE-2026-3422

CriticalRCE

Published: 02 March 2026

Published
02 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3422 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Edetw U-Office Force. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation directly patches the insecure deserialization vulnerability, preventing arbitrary code execution from malicious serialized content.

SI-10 Information Input Validation good match
prevent

Information input validation rejects or sanitizes maliciously crafted serialized content before deserialization, blocking the root cause of the vulnerability.

SI-16 Memory Protection partial match
prevent

Memory protection mechanisms like DEP and ASLR mitigate arbitrary code execution resulting from successful deserialization exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Insecure deserialization vulnerability enables unauthenticated remote attackers to execute arbitrary code on a public-facing server application, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content.

Deeper analysisAI

CVE-2026-3422 is an insecure deserialization vulnerability (CWE-502) affecting U-Office Force, a software product developed by e-Excellence. Published on 2026-03-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue enables unauthenticated remote attackers to execute arbitrary code on the server through the transmission of maliciously crafted serialized content.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability by allowing arbitrary code execution on the targeted server.

Advisories from TWCERT/CC provide further details on this vulnerability, available at https://www.twcert.org.tw/en/cp-139-10743-9a952-2.html and https://www.twcert.org.tw/tw/cp-132-10742-45b13-1.html.

Details

CWE(s)
CWE-502

Affected Products

edetw
u-office force
29.50 · ≤ 29.50

CVEs Like This One

CVE-2025-12865Same product: Edetw U-Office Force
CVE-2025-2396Same product: Edetw U-Office Force
CVE-2025-2395Same product: Edetw U-Office Force
CVE-2025-12864Same product: Edetw U-Office Force
CVE-2025-54366Shared CWE-502
CVE-2025-7916Shared CWE-502
CVE-2025-0994Shared CWE-502
CVE-2024-56180Shared CWE-502
CVE-2025-9121Shared CWE-502
CVE-2026-24378Shared CWE-502

References