Description
U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content.
Published: 2026-03-02
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

U-Office Force, a product by e-Excellence, contains an insecure deserialization flaw that permits unauthenticated attackers to send specially crafted serialized data to the server. This exploitation can lead to arbitrary code execution, giving attackers full control of the affected machine, effectively compromising confidentiality, integrity, and availability of the system. The weakness is classified as CWE‑502, reflecting the unsafe handling of serialized objects.

Affected Systems

The vulnerability affects the e‑Excellence U‑Office Force application across all versions prior to 29.50SP1. Vendors and customers using any earlier release are susceptible, while upgrading to version 29.50SP1 or later removes the flaw.

Risk and Exploitability

The CVSS score of 9.3 marks it as Critical, yet the current EPSS value of less than 1% indicates a low probability of active exploitation at the present moment. It is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker transmitting malicious serialized content to a publicly exposed endpoint that processes such data without proper validation. Successful exploitation would allow the attacker to run arbitrary code with the service’s privileges.

Generated by OpenCVE AI on April 16, 2026 at 14:40 UTC.

Remediation

Vendor Solution

Please update to version 29.50SP1 or later.

OpenCVE Recommended Actions

  • Update to U‑Office Force 29.50SP1 or later as provided by the vendor.
  • Restrict network access to the U‑Office Force service to trusted hosts or networks to limit exposure to unauthenticated attackers.
  • Configure the application to reject or strictly validate serialized payloads, ensuring only known, safe classes are deserialized.

Generated by OpenCVE AI on April 16, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Edetw
Edetw u-office Force
CPEs cpe:2.3:a:edetw:u-office_force:*:*:*:*:*:*:*:*
cpe:2.3:a:edetw:u-office_force:29.50:-:*:*:*:*:*:*
Vendors & Products Edetw
Edetw u-office Force

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared E-excellence
E-excellence u-office Force
Vendors & Products E-excellence
E-excellence u-office Force

Mon, 02 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content.
Title e-Excellence|U-Office Force - Insecure Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

E-excellence U-office Force
Edetw U-office Force
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-03-02T18:49:21.014Z

Reserved: 2026-03-02T03:36:13.481Z

Link: CVE-2026-3422

cve-icon Vulnrichment

Updated: 2026-03-02T18:49:14.462Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T07:16:23.477

Modified: 2026-03-09T14:16:18.787

Link: CVE-2026-3422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses