CVE-2023-38831: RARLabs WinRAR Zero-Day RCE

Group-IB Threat Intelligence has uncovered a significant zero-day vulnerability in RARLabs' WinRAR software, Since April 2023, this vulnerability has been actively exploited, facilitating the distribution of multiple malware strains, such as DarkMe, GuLoader, and Remcos RAT.

This exploitation tricks traders click on files within an archive, ultimately enabling the attackers to compromise online cryptocurrency trading accounts.

WinRAR zero-day vulnerability enabled threat actors to craft malicious .RAR and .ZIP archives that presented apparently harmless files like JPG (.jpg) images, text files (.txt), or PDF (.pdf) documents, potentially resulting in arbitrary code execution.


In WinRAR versions prior to 6.23 by RARLabs, a security vulnerability exists that permits attackers to execute arbitrary code. This vulnerability is triggered when a user tries to view a benign file within a ZIP archive. The problem arises from the structure of the ZIP archive, where a benign file (like a standard .JPG file) shares the same name as a folder within the archive. When attempting to access the benign file, the contents of the folder, which may contain executable content, are processed.


While accessing the archives, users will be presented with what seems to be a non-threatening file, such as a PDF, along with a folder that shares the same file name, as demonstrated below.

Whenever a user double-clicks on the PDF, the CVE-2023-38831 vulnerability will quietly launch a script in the folder to install malware on the device. At the same time, these scripts will also load a benign document as shown in POC attacker will get remote access to the victim system.


Immediate Action Required: WinRAR users are strongly advised to manually update their software to version 6.23 as soon as possible. This action is necessary to safeguard their systems from potential cyber threats.

Besides CVE-2023-38831, the latest update also resolves a critical Remote Code Execution (RCE) vulnerability, namely CVE-2023-40477, which, if maliciously exploited, could result in significant consequences.

Contributed by Sharanu Kalyan

Post a Comment