Exploiting WinRar Zero-day [CVE-2023-38831] | File extension spoofing vulnerability | 25 August 2023

There is a new [Maybe not!] exploit in the cyber town!
Our favorite zipping tool WinRAR is affected by a vulnerability that could potentially lead to the execution of unauthorized code. The final exploit would look like a harmless file located within an archive file. The problem arises from the fact that the archive file might contain both a harmless file, such as a regular .PDF file, and a folder sharing the same file name. An executable file or script with spoofed extension?

During an attempt to access the .PDF file, the contents of the folder, which could include executable content gets processed. This vulnerability was considered to be exploited in real-world instances between April and August 2023, as reported by Group IB Intelligence team.

The initial access code execution possibilities are huge with the existence of such security issues. That makes it hard for the defenders and internal security teams to take coutermeasures.


Here is a short PoC video made out of pieces from here and there.

Flow of execution:
WinRar.exe v6.21 [Vulnerable version]
-> Weaponized .RAR file
-> Victim opens the .PDF file [Instead of .PDF file a .BAT script executes leveraging the spoofed file extension]
-> Executes calc.exe and .PDF file.


I'll include detailed exploitation scenarios and emulation plans for this exploit to assess the defenses in the corporate environment in the next update. Keep an eye on this page.

Affected Versions

WinRar versions < 6.23 considered to be vulnerable.


Update update update!!
Update your WinRAR installation to the latest version. [https://www.rarlab.com/download.htm]


Group IB Blog post: https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

Go back to Adversary Tactics