Critical RCE & Auth Bypass Flaws Discovered in GFI Archiver — Unpatched Systems at Immediate Risk of Remote Takeover

Aegiron 9 mins0

Product Overview

Product: GFI Archiver
Vendor: GFI Software
Component(s) Affected:

  • MArc.Store.Remoting.exe (Default TCP Port: 8018)
  • MArc.Core.Remoting.exe (Default TCP Port: 8017)

GFI Archiver is an enterprise email archiving solution typically deployed within Windows Server environments. It integrates with Microsoft Exchange and other mail systems to archive, index, and retrieve email communications. The remoting services mentioned above are backend components used for internal service communication and administrative interaction.

Vulnerability Summary Table

CVE NameCVE IDCVSS ScoreSeverityExploitabilityExploit Availability
MArc.Store Deserialization RCECVE-2026-20368.8High / CriticalRemote, Network-basedPublic technical analysis reported
MArc.Core Deserialization RCECVE-2026-20378.8High / CriticalRemote, Network-basedPublic technical analysis reported
MArc.Core Authentication BypassCVE-2026-20387.3HighRemote, UnauthenticatedNo official PoC published
MArc.Store Authentication BypassCVE-2026-20397.3HighRemote, UnauthenticatedNo official PoC published

Technical Details

CVE-2026-2036 & CVE-2026-2037 – Insecure Deserialization Leading to RCE

These vulnerabilities exist in the .NET remoting services of GFI Archiver. The issue arises from unsafe deserialization of user-supplied data. Objects received over the network are processed without strict validation of type safety or integrity.

When untrusted serialized data is accepted and deserialized, specially crafted object chains may be instantiated. In certain runtime conditions, this can lead to arbitrary code execution within the context of the Archiver service account.

Because the vulnerable services listen on TCP ports 8017 and 8018, exposure becomes critical when:

  • The ports are accessible externally
  • Network segmentation is weak
  • Firewall rules are misconfigured
  • Service authentication checks are improperly enforced

If exploited successfully, an attacker could:

  • Execute arbitrary system commands
  • Deploy malware or ransomware
  • Create new privileged accounts
  • Access archived email data
  • Pivot laterally within the network

Execution occurs under the privileges of the service account running the remoting process. In many enterprise deployments, this account has elevated permissions.

CVE-2026-2038 & CVE-2026-2039 – Authentication Bypass

The authentication bypass vulnerabilities stem from missing authorization checks within specific exposed remoting methods.

It was observed that certain API methods did not properly validate whether a caller was authenticated or authorized to invoke administrative-level functionality.

This allows:

  • Unauthenticated method invocation
  • Access to sensitive internal operations
  • Potential chaining with deserialization flaws for RCE

When combined with the RCE vulnerabilities, the overall attack complexity is significantly reduced.

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1203 – Exploitation for Client Execution
  • T1059 – Command and Scripting Interpreter
  • T1105 – Ingress Tool Transfer
  • T1078 – Valid Accounts (if credentials are leveraged post-exploitation)

Exploitation Overview (Educational)

Exploitation generally involves sending crafted serialized payloads to the exposed remoting ports. Attackers may leverage .NET gadget chains if unsafe formatters (such as BinaryFormatter or NetDataContractSerializer) are used.

Public discussions indicate proof-of-concept demonstrations have circulated in security research communities. However, no vendor-supported exploit code has been officially published.

Indicators of exploitation attempts may include:

  • Unusually large binary requests to ports 8017/8018
  • Repeated malformed serialization exceptions
  • Immediate spawning of command interpreters
  • Unexpected outbound network connections from Archiver servers

Indicators of Compromise (IOCs)

  • External connections to TCP 8017 or 8018
  • Child process creation from:
    • MArc.Core.Remoting.exe
    • MArc.Store.Remoting.exe
  • Execution of:
    • cmd.exe
    • powershell.exe
    • rundll32.exe
    • regsvr32.exe
  • Creation of new services or scheduled tasks
  • Unexpected archive access or data export events

Detection Guidance

Network Monitoring

Monitor inbound traffic to:

TCP 8017
TCP 8018

Any exposure to the public internet should be treated as high risk.

SIEM Detection Queries

Splunk

index=network_logs dest_port IN (8017,8018)
| stats count by src_ip, dest_ip, dest_port
| where count > 10

Process Monitoring:

index=windows_logs EventCode=4688
| where ParentProcessName="MArc.Core.Remoting.exe" OR ParentProcessName="MArc.Store.Remoting.exe"

Microsoft Sentinel (KQL)

Network activity:

DeviceNetworkEvents
| where RemotePort in (8017, 8018)
| summarize count() by RemoteIP, DeviceName

Process creation:

DeviceProcessEvents
| where InitiatingProcessFileName in ("MArc.Core.Remoting.exe","MArc.Store.Remoting.exe")
| where FileName in ("cmd.exe","powershell.exe","rundll32.exe")

Elastic (KQL)

destination.port:(8017 OR 8018)

Process detection:

process.parent.name:("MArc.Core.Remoting.exe" OR "MArc.Store.Remoting.exe")
AND process.name:("cmd.exe" OR "powershell.exe")

Host-Based Detection

  • Enable detailed PowerShell logging
  • Enable Sysmon Event ID 1 (Process Creation)
  • Monitor Event ID 7045 (Service Creation)
  • Monitor abnormal memory consumption or service crashes

Risk Assessment

The combined impact of these vulnerabilities is considered high because:

  • Exploitation can occur remotely
  • Authentication may not be required
  • Code execution may occur with elevated privileges
  • Email archives contain sensitive historical data

Organizations with internet-facing Archiver servers are at immediate risk.

Remediation

Immediate Actions

  • Block external access to TCP 8017 and 8018
  • Restrict access via internal firewall rules
  • Review service account permissions
  • Conduct compromise assessment

Permanent Fix

Upgrade GFI Archiver to the latest vendor-supported build.

Official Upgrade Link:

https://upgrade.gfi.com

It is recommended that the vendor support portal be consulted to confirm the exact patched version addressing CVE-2026-2036 through CVE-2026-2039.

Hardening Recommendations

  • Disable unused remoting services if not required
  • Place Archiver behind internal-only network segments
  • Implement strict application whitelisting
  • Enforce least-privilege service accounts
  • Enable advanced logging before patching to detect pre-existing compromise

Conclusion

The vulnerabilities identified under CVE-2026-2036 through CVE-2026-2039 represent a significant risk to organizations running GFI Archiver. The presence of remote deserialization flaws combined with authentication bypass conditions increases the likelihood of exploitation in exposed environments.

Immediate network restriction and patch validation are strongly advised. Monitoring for anomalous process creation and network activity is critical until confirmed remediation is completed.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.