Archer Special Advisory: vm2 Vulnerability (CVE-2026-22709)
Special advisories relate to CVEs and security events with broad industry interest even when we know our products and platforms are not affected.
Applies To
vm2 Publication: Sandbox Escape · Advisory · patriksimek/vm2 · GitHub
CVE Details: NVD - CVE-2026-22709
Details
Archer is aware of the vm2 Vulnerability (CVE 2026 22709) disclosed on January 26, 2026.
The following components are not affected:
- Archer SaaS and Archer Hosted
- Archer Engage for Vendors
- Archer Engage
- Archer DocGov
- Archer Insight
- Archer Application versions
- SaaS 2025.02 or higher
- LTS 2024.11 Update Release 1 or higher
- LTS 2025.12 or higher
OnPrem Clients running older Archer Application version or who have backup files for older Archer Application versions may find evidence of vm2 in those versions.
Archer recommends clients on older Archer application versions upgrade at the earliest opportunity.
Update 2/5/2026: Archer appreciates the feedback clients have provided on this issue. We are investigating the upgrade path from older code releases that contained vm2 to newer versions where the new components have been introduced. It appears in some cases the older vm2 version remained on the system. Archer is working to provide details on client next steps.
We appreciate your patience as we work through this to ensure we can supply our clients with full remediation options. More updates will be supplied.
Legal Information
Read and use the information in this Archer Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact Archer Technical Support. Archer distributes Archer Security Advisories in order to bring to the attention of users of the affected Archer products important security information.
Originally posted on February 3, 2026 in the Archer Community.
Comments
4 comments
So, just to confirm again in order to remediate CVE-2026-22709, it is recommended to upgrade to any of the below Archer version right?
Originally posted on February 4, 2026.
Correct
Originally posted on February 4, 2026.
Once we upgrade to 2025.12, will that remove the backup files?
Originally posted on February 4, 2026.
Has there been any updates on how to resolve this?
Originally posted on February 16, 2026.
Please sign in to leave a comment.