Cyber Resilience

CVE-2026-2037

HighRCE

Published: 20 February 2026

Published
20 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0107 60.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2037 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Gfi Archiver. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2037 is a deserialization of untrusted data vulnerability in GFI Archiver that leads to remote code execution. The flaw resides in the MArc.Core.Remoting.exe process, which listens on TCP port 8017, and stems from insufficient validation of user-supplied data during deserialization. Successful exploitation grants an attacker the ability to run arbitrary code in the context of the SYSTEM account on affected installations.

Although the vulnerability requires authentication, the existing mechanism can be bypassed, allowing remote attackers to trigger the flaw over the network without additional user interaction. The issue was originally reported as ZDI-CAN-27935 and carries a CVSS 3.0 base score of 8.8.

The Zero Day Initiative advisory ZDI-26-074 addresses the issue. Exploitation probability remains low overall, yet the EPSS score rose from a starting value of 0.0055 to a peak of 0.0103, indicating increased interest following disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be…

more

bypassed. The specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27935.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-2036Same product: Gfi Archiver
CVE-2026-2038Same product: Gfi Archiver
CVE-2026-2039Same product: Gfi Archiver
CVE-2024-52875Same vendor: Gfi
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2024-57764Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2025-50460Shared CWE-502

Affected Assets

gfi
archiver
15.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied data before deserialization in MArc.Core.Remoting.exe, blocking the untrusted-data flaw that leads to SYSTEM RCE.

prevent

Enforces authentication and access decisions on the exposed TCP 8017 endpoint, preventing the documented authentication bypass that allows remote exploitation.

prevent

Restricts network traffic to the MArc.Core.Remoting.exe listener on port 8017, limiting remote unauthenticated or bypassed access that triggers the deserialization vulnerability.

References