CVE-2018-20250
CVE-2018-20250 is a high-severity vulnerability in Rarlab Winrar with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-15). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 96% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-02-15)
- EU (EUVD) id: EUVD-2018-12813
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-02-15)
- Weakness: CWE-22
- Affected product: Rarlab Winrar
- Published:
- Last modified:
Description
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
CVE-2018-20250: WinRAR ACE Path Traversal Leading to Arbitrary Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-20250 |
| Published | 2019-02-05 |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CVSS v2 | 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| CVSS v3.1 | 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) |
| EPSS | 0.96274 (99.87th percentile) |
| CISA KEV | Listed since 2022-02-15 |
| Affected Product | RARLAB WinRAR (all versions prior to 5.61) |
Summary
WinRAR, one of the world's most widely used file archiving utilities, shipped with a vulnerable third-party library (UNACEV2.dll) for handling ACE archive format. By crafting a malicious ACE archive with a specially manipulated filename field, an attacker can bypass the intended extraction directory and write files to arbitrary absolute paths on the victim's filesystem — most critically the Windows Startup folder — achieving remote code execution upon the next system reboot or user logon.
Background
In early 2019, Check Point Research identified a critical vulnerability in WinRAR's ACE archive extraction routine. The issue resided not in WinRAR's core code, but in a legacy DLL (UNACEV2.dll) that had not been updated since 2006. ACE (Advanced Compression Engine) is an older archive format with declining usage, yet WinRAR included support for it by default. The vulnerability stemmed from improper validation of the filename field within the ACE archive header, which could be manipulated to contain absolute paths or directory traversal sequences (e.g., ..\).
Root Cause
The root cause is CWE-22: Path Traversal. Specifically:
- When extracting an ACE archive, UNACEV2.dll reads the filename field from the archive header.
- The library does not sanitize or validate this filename against directory traversal patterns.
- If the filename contains an absolute path (e.g.,
C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware.exe) or relative traversal sequences, the library treats it as a legitimate destination path. - WinRAR's own extraction destination folder is completely ignored, and the file is written to the attacker-specified location.
This is a classic case of insufficient input validation in a file-parsing routine, compounded by the use of an unmaintained third-party component.
Impact
The CVSS v3.1 score of 7.8 (HIGH) reflects severe impact despite local attack vector requirements:
- Confidentiality Impact (HIGH): An attacker can read sensitive files if the traversal is bidirectional, though the primary concern is arbitrary file placement.
- Integrity Impact (HIGH): Arbitrary files can be written to critical system locations.
- Availability Impact (HIGH): System availability can be compromised if malicious files are placed in startup locations or system directories.
- Attack Vector (LOCAL): Exploitation requires the victim to extract a malicious ACE archive locally. However, because WinRAR is often used to open email attachments and downloads, the practical attack vector is frequently network-borne social engineering.
- User Interaction (REQUIRED): The victim must explicitly open or extract the malicious archive.
The exceptionally high EPSS score of 0.96274 (96.3% probability of exploitation in the wild) and inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog confirm this vulnerability has been and continues to be actively exploited.
Exploitation Walkthrough
Ethics Notice: The following describes the exploitation mechanism at a defensive level. No weaponized exploit code is provided. This information is intended to aid defenders in understanding attack patterns and building detection rules.
The exploitation chain is straightforward:
-
Archive Crafting: An attacker creates a legitimate-looking ACE archive. The filename field of one or more files inside the archive is modified to specify an absolute path pointing to a sensitive directory (most commonly the Windows Startup folder).
-
Social Engineering: The archive is distributed via phishing emails, malicious downloads, or compromised websites. The
.aceextension may be masked or the archive may be renamed to.rar(WinRAR will still process it using the appropriate library based on file headers, not extension). -
User Action: The victim opens the archive in WinRAR and may double-click a file or extract the archive. Due to the path traversal, the file is written to the attacker-specified absolute path rather than the chosen extraction folder.
-
Code Execution: If written to the Startup folder, the malicious file executes automatically on the next user logon or system reboot, giving the attacker persistent code execution without requiring further user interaction.
The simplicity of this chain — combined with WinRAR's massive install base — made this one of the most consequential file-format vulnerabilities of 2019.
Affected and Patched Versions
| Status | Version |
|---|---|
| Affected | WinRAR all versions prior to and including 5.61 |
| Patched | WinRAR 5.70 Beta 1 and later |
RARLAB removed support for the ACE format entirely in WinRAR 5.70 Beta 1, dropping the UNACEV2.dll dependency. This was the most definitive fix, as the ACE format had extremely low legitimate usage relative to the security risk.
Remediation
-
Upgrade WinRAR: Update to WinRAR 5.70 or later immediately. The ACE format is no longer supported, which eliminates the attack surface entirely.
-
Remove UNACEV2.dll: If immediate upgrading is not possible, manually delete or rename the
UNACEV2.dllfile in the WinRAR installation directory. This will prevent ACE archive processing (which will show an error) but eliminates the vulnerability. -
User Awareness: Train users to be suspicious of unsolicited archive attachments, especially ACE files or archives from unknown sources. Note that WinRAR processes archives by header content, not extension, so a renamed
.acefile may still be dangerous. -
Application Control: Use application whitelisting to prevent execution of unknown binaries from the Startup folder and other sensitive locations.
-
Email Gateway Filtering: Configure email security gateways to block or quarantine ACE archive attachments.
Detection
Defenders can detect exploitation and potential compromise through multiple approaches:
-
File Integrity Monitoring: Monitor the Windows Startup folders (
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupand%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup) for unexpected file creations. -
Endpoint Detection: Look for WinRAR processes writing files outside the intended extraction directory, especially to Startup or system folders.
-
Network Detection: Identify downloads of ACE archives from untrusted sources. While ACE format is rare today, any ACE file download should be treated as suspicious.
-
Process Monitoring: Alert on execution of unknown binaries from Startup folders following WinRAR activity.
Assessment
CVE-2018-20250 is a textbook example of the hidden risks posed by unmaintained third-party dependencies. The UNACEV2.dll had not been updated in over a decade, yet it shipped with one of the world's most popular Windows utilities, exposing hundreds of millions of users to trivial remote code execution.
Key Lessons:
-
Dependency Hygiene: Software vendors must regularly audit third-party libraries, especially those that are unmaintained or have minimal legitimate usage. ACE support added minimal value to WinRAR but carried catastrophic risk.
-
EPSS as a Priority Signal: With an EPSS score above 0.96, this vulnerability represents near-certain active exploitation. Security teams should prioritize patching or mitigation for any EPSS score above 0.5, and especially those above 0.9.
-
File Format Attack Surface: Attackers frequently target file parsing and extraction utilities because they process untrusted input with high privileges. Input validation in file format parsers is critical defensive territory.
References
- https://research.checkpoint.com/extracting-code-execution-from-winrar/
- https://www.win-rar.com/whatsnew.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20250
- https://www.exploit-db.com/exploits/46552/
- https://www.exploit-db.com/exploits/46756/
- https://github.com/blau72/CVE-2018-20250-WinRAR-ACE
- http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace
- http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html
- http://www.securityfocus.com/bid/106948
Frequently asked questions
- What is CVE-2018-20250?
- In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
- How severe is CVE-2018-20250?
- CVE-2018-20250 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-20250 being actively exploited?
- Yes. CVE-2018-20250 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-20250?
- CVE-2018-20250 affects Rarlab Winrar. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2018-20250?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-20250 have an EU (EUVD) identifier?
- Yes. CVE-2018-20250 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-12813. It is also flagged as exploited in the EUVD (since 2022-02-15).
- When was CVE-2018-20250 published?
- CVE-2018-20250 was published on 2019-02-05 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.html
- http://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_ace
- http://www.securityfocus.com/bid/106948
- https://github.com/blau72/CVE-2018-20250-WinRAR-ACE
- https://research.checkpoint.com/extracting-code-execution-from-winrar/
- https://www.exploit-db.com/exploits/46552/
- https://www.exploit-db.com/exploits/46756/
- https://www.win-rar.com/whatsnew.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20250
Affected products (1)
- cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*
More vulnerabilities in Rarlab Winrar
- CVE-2008-7144 — Critical (CVSS 10.0): Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to…
- CVE-2004-1254 — Critical (CVSS 10.0): WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing…
- CVE-2004-0234 — Critical (CVSS 10.0): Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as…
- CVE-2006-3845 — Critical (CVSS 9.3): Stack-based buffer overflow in lzh.fmt in WinRAR 3.00 through 3.60 beta 6 allows remote attackers to execute arbitrary…
- CVE-2025-8088 — High (CVSS 8.8): A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code…
- CVE-2025-6218 — High (CVSS 7.8): RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to…
All CVEs affecting Rarlab Winrar →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…