Description
GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27935.
Published: 2026-02-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A deserialization flaw in GFI Archiver’s MArc.Core.Remoting.exe allows an attacker to execute arbitrary code in the context of SYSTEM. The vulnerability arises because the software fails to validate data supplied to the deserialization routine for that component. Exploiting it enables remote execution of attacker‑controlled code, potentially compromising the entire host. The weakness is classified as CWE‑502, Deserialization of Untrusted Data.

Affected Systems

The flaw affects GFI Archiver version 15.10, which runs the MArc.Core.Remoting.exe process listening on port 8017. Only installations of the specified vendor product version are known to be susceptible, and no other versions are listed in the available data.

Risk and Exploitability

The severity score of 8.8 indicates a high‑impact attack, and the exploitation probability, as reflected by an EPSS score of less than 1 percent, suggests that real‑world exploitation is currently low. The vulnerability requires authentication, but the input mentions that the existing authentication can be bypassed, implying that an attacker could succeed even without valid credentials. Because the remote endpoint is exposed on port 8017, the attack vector is likely network‑based. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, so no documented active exploits are known at this time. Nevertheless, the combination of high impact and potential authentication bypass warrants urgent attention.

Generated by OpenCVE AI on April 17, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security patch for GFI Archiver 15.10 to eliminate the deserialization vulnerability.
  • Restrict network access to the MArc.Core.Remoting.exe service on port 8017, using firewall or segmentation, to limit exposure to trusted hosts.
  • Enforce strong, multi‑factor authentication or disable the remote remoting feature until the patch is deployed.
  • Review system logs for unusual deserialization or remote connection activity to detect attempts to bypass authentication.

Generated by OpenCVE AI on April 17, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gfi:archiver:15.10:*:*:*:*:*:*:*

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Gfi
Gfi archiver
Vendors & Products Gfi
Gfi archiver

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27935.
Title GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gfi Archiver
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-24T15:01:28.418Z

Reserved: 2026-02-06T01:12:24.883Z

Link: CVE-2026-2037

cve-icon Vulnrichment

Updated: 2026-02-24T15:01:22.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:03.643

Modified: 2026-02-24T21:41:45.897

Link: CVE-2026-2037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses