CVE-2026-2037
Published: 20 February 2026
Summary
CVE-2026-2037 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Gfi Archiver. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2037 is a deserialization of untrusted data vulnerability in GFI Archiver that leads to remote code execution. The flaw resides in the MArc.Core.Remoting.exe process, which listens on TCP port 8017, and stems from insufficient validation of user-supplied data during deserialization. Successful exploitation grants an attacker the ability to run arbitrary code in the context of the SYSTEM account on affected installations.
Although the vulnerability requires authentication, the existing mechanism can be bypassed, allowing remote attackers to trigger the flaw over the network without additional user interaction. The issue was originally reported as ZDI-CAN-27935 and carries a CVSS 3.0 base score of 8.8.
The Zero Day Initiative advisory ZDI-26-074 addresses the issue. Exploitation probability remains low overall, yet the EPSS score rose from a starting value of 0.0055 to a peak of 0.0103, indicating increased interest following disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7776
Vulnerability details
GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be…
more
bypassed. The specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27935.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied data before deserialization in MArc.Core.Remoting.exe, blocking the untrusted-data flaw that leads to SYSTEM RCE.
Enforces authentication and access decisions on the exposed TCP 8017 endpoint, preventing the documented authentication bypass that allows remote exploitation.
Restricts network traffic to the MArc.Core.Remoting.exe listener on port 8017, limiting remote unauthenticated or bypassed access that triggers the deserialization vulnerability.