Security update: Attackers can inject Winrar with malicious code

Attackers can exploit a security vulnerability in Winrar and attack Windows PCs with malicious code. The developers have closed the vulnerability in the current version.

Malicious code attack

The Japanese JPCERT discovered the vulnerability. In a report, they write that all Winrar versions are affected. Winrar version 7.11 is protected against possible attacks. So far there are no indications of ongoing attacks. In the current version, the developers have not only solved the security problem, but also fixed some bugs. As can be seen from the changelog, they have optimized the handling of CAB archives, among other things.

The vulnerability (CVE-2025-31334 "medium") has a CVSS score of 6.8 and only just misses the "high" threat level. If attackers create a crafted symbolic link that points to an executable file with malicious code, the vulnerability allows them to bypass the Windows Mark-of-the-Web (MotW) security mechanism. Among other things, this ensures that Windows displays a security warning when opening files downloaded from the Internet that the file could be potentially dangerous.

In this case, MotW is bypassed and victims execute malicious code. By default, however, only Windows admins can create symbolic links. This hurdle is obviously the reason for the threat level classification of the vulnerability.

Not the first time

MotW vulnerabilities make the headlines time and again. It was only at the beginning of 2025 that it became known that attackers had exploited such a gap in 7-Zip. Around a year ago, the Winrar developers also closed a MotW vulnerability.

(des)