- Security researchers uncover new flaw in WinRAR
- The flaw allowed threat actors to bypass Mark of the Web and deploy malware to Windows devices without warning
- WinRAR released a new version to fix the bug, so update now
Experts have uncovered a flaw in WinRAR which could allow threat actors to bypass the Mark of the Web (MotW) and deploy malware on people’s computers.
The vulnerability was discovered by Japanese researcher Shimamine Taihei from the Mitsui Bussan Secure Directions, and is now tracked as CVE-2025-31334, and was given a severity score of 6.8/10 (medium).
MotW is a security mechanism that displays a warning when an executable file is downloaded from the internet. It is built into Windows and serves as an additional layer of security, warning people that files downloaded from the internet might be dangerous – however, there is a way to work around the warning when a file is shared in an archived format.
Symlink
“If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored,” WinRAR explained the vulnerability.
A symlink (short for symbolic link) is a shortcut or alias to a file or folder. Instead of copying a file, a symlink just points to it. Therefore, a hacker could create a symlink pointing to an executable with MotW, and if a victim runs it, the MotW wouldn’t show.
The vulnerability was found in all older versions of WinRAR, and it was addressed in version 7.11, which is now available for download.
Ever since Mark of the Web was introduced, cybercriminals have been looking for different ways to bypass it and deliver malware without warning.
In late January 2025, 7-Zip patched a major flaw that enabled just that. It is tracked as CVE-2025-0411 and was given a high severity score, 7/10. Earlier still, in 2022, researchers found a password-protected .ZIP file with an .ISO file inside that was able to bypass MotW.
To mitigate the risk, users should always keep their archivers up to date, and be vigilant when downloading files from the internet.
Via BleepingComputer
