CVE-2023-38831
CVE-2023-38831 is a high-severity vulnerability in Rarlab Winrar with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-08-24). The underlying weakness is classified as CWE-345.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-08-24)
- EU (EUVD) id: EUVD-2023-42604
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-08-24)
- Weakness: CWE-345
- Affected product: Rarlab Winrar
- Published:
- Last modified:
Description
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
CVE-2023-38831: WinRAR ZIP Extension Spoofing Leads to Arbitrary Code Execution
AI-generated analysis based on the vulnerability data on this page.
| CVE ID | CVE-2023-38831 |
| Severity | HIGH (CVSS 7.8) |
| CWE | CWE-345 – Insufficient Verification of Authenticity |
| EPSS | 97.8 % (0.99898 percentile) |
| KEV | Yes (CISA, since 2023-08-24) |
| Published | 2023-08-23 |
| Product | RARLAB WinRAR |
| Patched | 6.23 |
Summary
WinRAR before version 6.23 is vulnerable to an extension-spoofing attack inside ZIP archives. An attacker can craft a ZIP file that contains both an innocent-looking file (e.g., a .jpg) and a folder sharing the exact same name. When the victim double-clicks the benign file to preview it, WinRAR mistakenly processes the folder contents—potentially launching an executable script—instead of the image. This vulnerability was exploited in the wild between April and October 2023.
Background
WinRAR is a widely deployed file archiver for Windows, with hundreds of millions of users. Its built-in preview feature lets users open files inside archives without extracting them first. The vulnerability stems from how WinRAR resolves file paths when a file and a folder share the same name inside a ZIP archive.
Root Cause
The weakness maps to CWE-345: Insufficient Verification of Authenticity. WinRAR does not adequately validate that the file extension of the item being previewed matches the actual content being executed. When a ZIP entry contains both document.jpg and a folder named document.jpg/, WinRAR's path-resolution logic can be tricked into processing the folder contents (which may include .bat, .cmd, or .exe files) rather than the benign image. The archive structure effectively impersonates a safe file type while delivering malicious content.
Impact
With a CVSS v3 score of 7.8 (HIGH), the confidentiality, integrity, and availability impacts are all rated HIGH. The vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates:
- Attack Vector (AV): Local — requires user interaction
- Attack Complexity (AC): Low — trivial to construct the archive
- Privileges Required (PR): None — runs with user privileges
- User Interaction (UI): Required — victim must open the file
- Scope (S): Unchanged
- Confidentiality/Integrity/Availability (C/I/A): All HIGH
An attacker can achieve arbitrary code execution with the victim's privileges, leading to full system compromise, data theft, or further lateral movement.
Exploitation Walkthrough
This section is provided for defensive awareness only. No weaponized exploit code is included.
- Archive Preparation: The attacker creates a ZIP archive containing a benign file (e.g.,
statement.pdf) alongside a folder namedstatement.pdf/. Inside the folder, the attacker places a malicious script or executable. - Social Engineering: The archive is delivered via email, forum post, or download site, often themed around trading, finance, or urgent documents.
- User Action: The victim opens the archive in WinRAR and double-clicks what appears to be
statement.pdfto preview it. - Execution: Due to path-resolution confusion, WinRAR processes the folder contents rather than the PDF, executing the attacker's payload.
- Post-Exploitation: The attacker may install backdoors, steal credentials, or move laterally within the network.
Ethics caveat: Attempting to recreate this attack against systems you do not own or have explicit permission to test is illegal in most jurisdictions.
Affected and Patched Versions
- Affected: RARLAB WinRAR before 6.23
- Patched: WinRAR 6.23 and later
The vulnerable CPE is cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*.
Remediation
- Upgrade immediately to WinRAR 6.23 or later from the official RARLAB website.
- Compensating controls:
- Block or quarantine ZIP attachments at email gateways, especially those containing nested folders that mimic file names.
- Restrict software execution from temporary directories (e.g.,
AppData\Local\Temp) using AppLocker or Windows Defender Application Control (WDAC). - Train users to extract archives to a designated folder and inspect contents with a file manager before opening any file.
- Disable preview features in archive utilities where possible.
Detection
- File indicators: Look for ZIP archives containing files and folders with identical names (e.g.,
invoice.pdfandinvoice.pdf/). - Behavioral indicators: Monitor for unexpected process execution spawned by
WinRAR.exe, especially child processes likecmd.exe,powershell.exe, orwscript.exe. - Network indicators: Review proxy and firewall logs for outbound connections initiated shortly after WinRAR is opened, especially to known trading or financial platforms (this was a common targeting theme).
- Endpoint detection: Use EDR rules that flag execution from WinRAR's temporary extraction paths.
Assessment
This vulnerability carries an EPSS score of 0.97798 (99.9th percentile), reflecting near-certain active exploitation. It has been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog since 2023-08-24 and in the EU Vulnerability Database (EUVD-2023-42604) with the same date. Google's Threat Analysis Group and Group-IB both reported widespread exploitation targeting traders and financial institutions.
Key lessons:
- File-type validation must be strict and content-aware, not merely extension-based. Archive tools that preview files before extraction are high-value targets for extension-spoofing attacks.
- Rapid patching is critical for client-side software. Despite WinRAR's auto-update mechanism, many organizations remain on older versions because they are not centrally managed. Software asset management and patch orchestration for third-party utilities are essential security controls.
References
- http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html
- https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
- https://news.ycombinator.com/item?id=37236100
- https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38831
Frequently asked questions
- What is CVE-2023-38831?
- RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
- How severe is CVE-2023-38831?
- CVE-2023-38831 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-38831 being actively exploited?
- Yes. CVE-2023-38831 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-08-24, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-38831?
- CVE-2023-38831 affects Rarlab Winrar. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-38831?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-38831 have an EU (EUVD) identifier?
- Yes. CVE-2023-38831 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-42604. It is also flagged as exploited in the EUVD (since 2023-08-24).
- When was CVE-2023-38831 published?
- CVE-2023-38831 was published on 2023-08-23 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html
- https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
- https://news.ycombinator.com/item?id=37236100
- https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38831
Affected products (1)
- cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*
More vulnerabilities in Rarlab Winrar
- CVE-2008-7144 — Critical (CVSS 10.0): Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to…
- CVE-2004-1254 — Critical (CVSS 10.0): WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing…
- CVE-2004-0234 — Critical (CVSS 10.0): Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as…
- CVE-2006-3845 — Critical (CVSS 9.3): Stack-based buffer overflow in lzh.fmt in WinRAR 3.00 through 3.60 beta 6 allows remote attackers to execute arbitrary…
- CVE-2025-8088 — High (CVSS 8.8): A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code…
- CVE-2025-6218 — High (CVSS 7.8): RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to…
All CVEs affecting Rarlab Winrar →
Other CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities
- CVE-2026-35051 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an…
- CVE-2014-8165 — Critical (CVSS 10.0): scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote…
- CVE-2026-50195 — Critical (CVSS 9.9): containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the…
- CVE-2022-36130 — Critical (CVSS 9.9): HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated…
- CVE-2026-50214 — Critical (CVSS 9.8): The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing…
- CVE-2025-15385 — Critical (CVSS 9.8): Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows…
Browse all CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities →