Cyber Posture

CVE-2026-2038

Critical

Published: 20 February 2026

Published
20 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 58.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

GFI Archiver MArc.Core Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MArc.Core.Remoting.exe…

more

process, which listens on port 8017. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-27934.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces authorization checks before allowing access to sensitive functionality in the MArc.Core.Remoting.exe process, addressing the core missing authorization flaw.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Identifies and restricts permitted actions without identification or authentication to ensure no sensitive resources like those in MArc.Core.Remoting.exe on port 8017 are exposed.

SC-41 Port and I/O Device Access good match
prevent

Restricts access to TCP port 8017 used by the vulnerable MArc.Core.Remoting.exe process, preventing remote unauthenticated exploitation.

Security SummaryAI

CVE-2026-2038 is a missing authorization vulnerability, classified as an authentication bypass, affecting GFI Archiver installations. The flaw resides in the configuration of the MArc.Core.Remoting.exe process, which listens on TCP port 8017 and fails to enforce proper authorization checks before granting access to sensitive functionality. This issue, mapped to CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was originally tracked as ZDI-CAN-27934.

Remote attackers can exploit this vulnerability without authentication, as no privileges or user interaction are required. By connecting to the exposed port 8017, an unauthenticated adversary gains unauthorized access to the service. While the bypass alone does not directly execute code, it can be chained with other vulnerabilities to achieve arbitrary code execution in the context of the SYSTEM user, potentially leading to full compromise of the affected host.

The Zero Day Initiative published details in advisory ZDI-26-075, available at https://www.zerodayinitiative.com/advisories/ZDI-26-075/, which canonically reports the issue and likely includes recommendations for mitigation, such as applying vendor patches or restricting network access to port 8017. Security practitioners should consult GFI's official channels for updated patches and hardening guidance.

Details

CWE(s)
CWE-862

Affected Products

gfi
archiver
15.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a missing authorization (authentication bypass) in a remotely accessible service (TCP/8017) that allows unauthenticated remote attackers to access sensitive functionality, directly enabling exploitation of public-facing applications (T1190) and remote services (T1210) for initial access and potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References