CVE-2026-2037
Received Received - Intake
Deserialization RCE in GFI Archiver MArc.Core via Auth Bypass

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: Zero Day Initiative

Description
GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27935.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-05-27
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-25
NVD
CVE-2026-2037
EUVD
EUVD-2026-7776
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gfi archiver 15.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely with SYSTEM privileges on affected GFI Archiver installations.

This can lead to full system compromise, including unauthorized access, data theft, data manipulation, or disruption of services.


Can you explain this vulnerability to me?

This vulnerability exists in GFI Archiver's MArc.Core.Remoting.exe process, which listens on port 8017. It involves improper validation of user-supplied data leading to deserialization of untrusted data. Although authentication is required to exploit it, the authentication mechanism can be bypassed, allowing remote attackers to execute arbitrary code.

The attacker can execute code with SYSTEM-level privileges by exploiting this flaw.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability exists in the MArc.Core.Remoting.exe process of GFI Archiver, which listens on port 8017. Detection can involve checking for the presence of this process and monitoring network activity on port 8017.

  • Use a command like 'netstat -an | findstr 8017' to check if port 8017 is open and listening.
  • Use 'tasklist | findstr MArc.Core.Remoting.exe' on Windows to verify if the vulnerable process is running.
  • Monitor network traffic to port 8017 for unusual or unauthorized access attempts.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to port 8017 to trusted users only, as the vulnerability requires authentication which can be bypassed.

Consider disabling or blocking the MArc.Core.Remoting.exe process or the listening port 8017 if it is not essential for your environment.

Apply any available patches or updates from GFI Archiver to address this deserialization vulnerability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart