A vulnerability within the WinRAR file archiver answer could possibly be exploited to bypass the Mark of the Internet (MotW) safety warning and execute arbitrary code on a Home windows machine.
The safety subject is tracked as CVE-2025-31334 and impacts all WinRAR variations besides the newest launch, which is at the moment 7.11.
Mark of the Internet is a safety perform in Home windows within the type of a metadata worth (an alternate information stream named ‘zone-identifier’) to tag as doubtlessly unsafe information downloaded from the web.
When opening an executable with the MotW tag, Home windows warns the person that it was downloaded from the web and could possibly be dangerous and gives the choice to proceed execution or terminate it.
Symlink to executable
The CVE-2025-31334 vulnerability will help a risk actor bypass the MotW safety warning when opening a symbolic hyperlink (symlink) pointing to an executable file in any WinRAR model earlier than 7.11.
An attacker may execute arbitrary code by utilizing a specifically crafted symbolic hyperlink. It needs to be famous {that a} symlink could be created on Home windows solely with administrator permissions.
The safety subject obtained a medium severity rating of 6.8 and has been mounted within the newest model of WinRAR, as famous within the purposes change log:
“If symlink pointing at an executable was began from WinRAR shell, the executable Mark of the Internet information was ignored” – WinRAR
The vulnerability was reported by Shimamine Taihei of Mitsui Bussan Safe Instructions by means of the Info Know-how Promotion Company (IPA) in Japan.
Japan’s Pc Safety Incident Response Crew coordinated the accountable disclosure with WinRAR’s developer.
Beginning model 7.10, WinRAR offers the likelihood to take away from the MotW alternate information stream info (e.g. location, IP handle) that could possibly be thought of a privateness threat.
Risk actors, together with state-sponsored ones, have exploited MotW bypasses prior to now to ship varied malware with out triggering the safety warning.
Lately, Russian hackers leveraged such a vulnerability within the 7-Zip archiver, which didn’t propagate the MotW when double archiving (archiving a file inside one other one) to run the Smokeloader malware dropper.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and tips on how to defend towards them.
