Login Sign Up

CVE-2024-36052

7.5 HIGH

📋 TL;DR

This vulnerability in WinRAR allows attackers to inject ANSI escape sequences into archive comments, which can spoof the screen output displayed to users. Attackers can make malicious files appear legitimate by manipulating what users see in WinRAR's interface. This affects Windows users running WinRAR versions before 7.00.

💻 Affected Systems

Products:
  • WinRAR
Versions: All versions before 7.00
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Windows version of WinRAR; other platforms are not vulnerable.

📦 What is this software?

Winrar by Rarlab

View all CVEs affecting Winrar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into executing malicious files that appear to be legitimate, leading to malware installation, data theft, or system compromise.

🟠

Likely Case

Attackers create archives with spoofed file names or descriptions that hide the true nature of malicious content, increasing the success rate of phishing or malware distribution.

🟢

If Mitigated

With proper user awareness and security controls, users would verify file integrity through other means before execution, reducing the risk.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening a malicious archive), but the technique is simple and publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.00 and later

Vendor Advisory: https://www.rarlab.com/rarnew.htm

Restart Required: No

Instructions:

1. Download WinRAR 7.00 or later from the official website. 2. Run the installer and follow the prompts to update. 3. No restart is required, but close WinRAR during installation.

🔧 Temporary Workarounds

Disable archive comment display

windows

Prevent WinRAR from displaying archive comments that could contain malicious ANSI sequences.

Not applicable - configure via WinRAR settings

Use alternative archive tools

windows

Temporarily switch to other archive software like 7-Zip until patched.

🧯 If You Can't Patch

  • Educate users to verify file extensions and properties before opening archives, not relying solely on WinRAR's display.
  • Implement application whitelisting to block execution of unknown or suspicious files from archives.

🔍 How to Verify

Check if Vulnerable:

Open WinRAR, go to Help > About WinRAR, and check if the version is below 7.00.

Check Version:

winrar /?

Verify Fix Applied:

After updating, confirm the version is 7.00 or higher in Help > About WinRAR.

📡 Detection & Monitoring

Log Indicators:

  • Unusual archive file access patterns or user reports of misleading file names in archives.

Network Indicators:

  • Downloads of RAR archives from untrusted sources, especially with unusual file sizes or names.

SIEM Query:

EventID=4688 AND ProcessName LIKE '%winrar.exe%' AND CommandLine CONTAINS '.rar' OR '.zip'

📊 Metadata

CVE ID: CVE-2024-36052
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-150
Published: May 21, 2024
Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36052, you might also want to check these:

CVE-2025-47284 9.9

This vulnerability allows administrative users within a Gardener project to escalate privileges and ...

Same vulnerability type (CWE-150)
CVE-2026-25996 9.8

This vulnerability in Inspektor Gadget allows malicious containers to inject ANSI escape sequences i...

Same vulnerability type (CWE-150)
CVE-2023-3265 9.8

CVE-2023-3265 is an authentication bypass vulnerability in CyberPower PowerPanel Enterprise that all...

Same vulnerability type (CWE-150)