The vulnerability exists in the AbstractSettingsCollection model of Group‑Office. The model deserializes user‑supplied setting strings without proper validation, creating a classic insecure deserialization flaw (CWE‑502). By crafting a serialized FileCookieJar object and embedding it in a setting string, an attacker who has authenticated access to the application can cause the server to write arbitrary files to the file system. This writes on disk grant the attacker code execution from inside the application, allowing full compromise of the underlying web server and operating system.

Affected products are Intermesh Group‑Office. Versions prior to 6.8.156, 25.0.90, and 26.0.12 are vulnerable. All iterations of the Group‑Office release line that fall below those patch releases are impacted. Only these specific major/minor releases are listed; newer releases beyond the mentioned versions have the vulnerability already fixed.

The CVSS score of 10 indicates a critical severity. Although EPSS information is not available, the flaw permits remote code execution after authentication, making it a high‑risk asset for any company running Group‑Office without the latest patch. The vulnerability is not listed in the CISA KEV catalog at present, but the lack of exploitation data does not diminish the inherent risk. The attack vector is likely through authenticated user actions that manipulate configuration values; fraud or privileged user credentials would provide the necessary access. The path to compromise is straightforward once the flaw is triggered, which stresses the urgency of applying the patch.