A recently uncovered vulnerability in WinRAR has raised concerns among cybersecurity experts, as it allows attackers to evade a crucial Windows security feature and execute arbitrary code on vulnerable systems. The flaw, designated as CVE-2025-31334, impacts all versions of WinRAR prior to 7.11 and carries a CVSS score of 6.8, highlighting its potential for significant exploitation.
This vulnerability exploits the Mark of the Web (MotW) feature within Windows, which is designed to flag files downloaded from untrusted sources and restrict their execution. Attackers can manipulate WinRAR’s handling of symbolic link shortcuts to bypass these security warnings. When a malicious archive containing a specially crafted symbolic link is extracted, the MotW flag may fail to apply to the linked executable, allowing malicious code to run undetected by standard Windows security protocols.
Creating symbolic links typically requires administrator privileges, which may mitigate immediate risks of widespread exploitation. However, systems with compromised admin accounts or less strict permission settings remain susceptible. Users must exercise caution by avoiding the extraction of files from untrusted sources, especially if they appear legitimate.
The discovery of this flaw was made by Taihei Shimamine of Mitsui Bussan Secure Directions and was coordinated through JPCERT/CC and the Information Security Early Warning Partnership. RARLAB, the developer of WinRAR, has released a patch for this vulnerability, urging users to update to version 7.11 or later from the official RARLAB website. The necessity of maintaining updated software is underscored by this incident, especially as such vulnerabilities can lead to “fileless” attacks that evade traditional detection systems.