CVE-2025-31334 – This vulnerability allows attackers to bypass W... (How to Fix)

Q: What is the severity of CVE-2025-31334?

CVE-2025-31334 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows attackers to bypass Windows' 'Mark of the Web' security warnings by tricking users into opening malicious symbolic links in WinRAR. When exploited, it can lead to arbitrary code execution on the victim's system. Users of WinRAR versions before 7.11 are affected.

📋 TL;DR

This vulnerability allows attackers to bypass Windows' 'Mark of the Web' security warnings by tricking users into opening malicious symbolic links in WinRAR. When exploited, it can lead to arbitrary code execution on the victim's system. Users of WinRAR versions before 7.11 are affected.

💻 Affected Systems

Products:

WinRAR

Versions: All versions prior to 7.11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Windows OS with Mark of the Web functionality. Users must open a malicious symbolic link within an archive.

📦 What is this software?

Winrar by Rarlab

View all CVEs affecting Winrar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or malware execution when users open malicious archive files containing symbolic links.

🟢

If Mitigated

No impact if users avoid opening untrusted archives or have updated WinRAR.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but common in phishing campaigns.

🏢 Internal Only: MEDIUM - Internal users could be tricked via email attachments or shared drives.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to open malicious archive. No authentication needed for the file opening action.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.11 and later

Vendor Advisory: https://www.win-rar.com/start.html?&L=0

Restart Required: No

Instructions:

1. Download WinRAR 7.11 or later from official website. 2. Run installer. 3. Follow installation prompts. 4. No restart required.

🔧 Temporary Workarounds

Disable symbolic link extraction

windows

Configure WinRAR to not extract symbolic links from archives

Use alternative archive software

windows

Temporarily use 7-Zip or other archive tools until patched

🧯 If You Can't Patch

Implement application whitelisting to block WinRAR execution
Educate users to never open archive files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Open WinRAR, go to Help > About WinRAR, check if version is below 7.11

Check Version:

winrar /?

Verify Fix Applied:

Confirm WinRAR version is 7.11 or higher in Help > About

📡 Detection & Monitoring

Log Indicators:

WinRAR process spawning unexpected child processes
Execution of files from temporary archive extraction directories

Network Indicators:

Unusual outbound connections following archive file opening

SIEM Query:

Process Creation where (Image contains 'winrar.exe' OR ParentImage contains 'winrar.exe') AND CommandLine contains '.lnk' OR CommandLine contains 'symlink'

📊 Metadata

CVE ID: CVE-2025-31334

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-356

EPSS Score: 0.39% exploit probability (59.4th percentile)

Published: April 3, 2025

Last Updated: July 1, 2025

🔗 References

https://jvn.jp/en/jp/JVN59547048/ Third Party Advisory
https://www.win-rar.com/start.html?&L=0 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31334, you might also want to check these: