A newly disclosed vulnerability in WinRAR, identified as CVE-2025-31334, allows attackers to bypass a critical Windows security mechanism. This flaw impacts all WinRAR versions before 7.11, with a CVSS score of 6.8, signaling a high risk. The vulnerability exploits the Windows Mark of the Web (MotW) feature, which flags files from untrusted sources. Attackers use symbolic link shortcuts in archives to bypass this feature, allowing malicious code execution without triggering security alerts.
WinRAR fails to apply the MotW flag to files linked by symbolic shortcuts, enabling attackers to execute code without warning. While creating symbolic links typically requires admin privileges, compromised systems or those with relaxed permissions remain vulnerable. Users are exposed when they open malicious archives or visit compromised websites hosting weaponized files.
Successful exploitation gives attackers control over the victim’s system in the context of the logged-in user.
Although no active exploits have been confirmed, similar vulnerabilities like CVE-2023-38831 led to malware deployment, including DarkMe and Agent Tesla.
RARLAB has patched the flaw in version 7.11, and users are urged to upgrade immediately. The patch addresses the vulnerability by preventing exploitation of symbolic link shortcuts in archives. In addition to updating WinRAR, organizations should restrict symbolic link creation to trusted administrators to reduce the risk of attacks.
The discovery of the flaw by Taihei Shimamine of Mitsui Bussan Secure Directions was coordinated through JPCERT/CC and the Information Security Early Warning Partnership. This incident highlights the ongoing security challenges archiving tools face, particularly as attackers target widely used software like WinRAR. With over 500 million users globally, WinRAR remains an attractive target. The recurrence of MotW bypass flaws in archiving tools underscores the need for continuous software audits and timely user updates.
About Agent Tesla:
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host. The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.
Targets
The Agent Tesla malware has been observed in spear phishing campaigns against multiple different industries, including energy, logistics, finance, and government.
