Archer Platform VM2 Cleanup Script Notification
Overview
Archer has confirmed that recent Platform versions are not affected by the vm2 vulnerability (CVE‑2026‑22709). Although the component was removed beginning with the 2024.11 Update Release 01, some clients have reported residual vm2 files still present in certain directories. Archer has investigated these reports and is providing a cleanup script and accompanying README to address the issue.
Action Required
Clients running the following code versions should review the README and run the provided cleanup script on their Archer Platform systems:
· 2024.11 Update Release 1 (2024.11.01)
· 2024.11 Update Release 2 (2024.11.02)
· 2024.11 Update Release 3 (2024.11.03)
· 2024.11 Update Release 4 (2024.11.04)
· 2025.12
Archer recommends clients on older Archer application versions upgrade at the earliest opportunity and then run the script.
For questions or assistance, contact Archer Technical Support.
Legal Information
Read and use the information in this Archer Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact Archer Technical Support. Archer distributes Archer Security Advisories in order to bring to the attention of users of the affected Archer products important security information.
Attachments
Originally posted on February 20, 2026 in the Archer Community.
Comments
1 comment
Hello,
The script worked and we managed to delete the vm2 from our server, but the ....\edge\node_modules\tough-cookie is also vulnerable(CVE-2023-26136). I assume that this is still used and cannot be deleted yet, right?
Originally posted on April 16, 2026.
Please sign in to leave a comment.