WinRAR allowed code execution bypassing Windows security.
A newly discovered vulnerability in the WinRAR archiver allowed attackers to bypass Windows' "Mark of the Web" (MotW) security mechanism, potentially leading to the execution of malicious code. The issue was reported by JPCERT/CC, following an analysis by Mitsui Bussan Secure Directions.
The vulnerability affects WinRAR versions prior to 7.11. The core issue lies in how symbolic links to executable files were handled. When such a link was opened, Windows failed to trigger the usual warning associated with files downloaded from the internet. Normally, Windows flags files from untrusted sources with a special marker, prompting a security alert before execution. However, symbolic links bypassed this check, enabling silent execution of harmful files.
Although creating symbolic links requires administrator privileges, the vulnerability still posed a risk in scenarios where an attacker had limited access to the system or could tamper with archive contents before extraction. A crafted archive could be used in social engineering attacks, tricking users into opening a file that appears harmless.
According to JPCERT/CC, the vulnerability has been assigned the identifier CVE-2025-31334 and received a CVSS score of 6.8. This rating reflects the fact that successful exploitation depends on specific conditions — particularly, user interaction — but the consequences could be severe, including full system takeover, data manipulation, and denial of service (DoS).
RARLAB, the developer of WinRAR, has released a patch addressing the issue. All users are strongly encouraged to update to version 7.11 or later. In addition, users should scan archives with antivirus software before opening them and be cautious with files received via email or downloaded from the internet.
Notably, in February 2025, version 7.10 of WinRAR introduced performance, interface, and security enhancements. One important change was the ability to limit the information stored in MotW tags — now, the archiver can retain only the zone identifier, excluding details like the URL or IP address of the file’s origin. This reduces the risk of information leaks during file sharing while still preserving Windows’ protective mechanisms.