← back
CVE-2018-20250

CVE-2018-20250

CVSS 7.8 HIGHEPSS 96.3%● KEVCWE-36
In short

WinRAR versions up to 5.61 have a flaw where specially crafted RAR files can extract files outside their intended folder by using absolute paths, potentially placing malicious files anywhere on your system.

Technical detail

A path traversal vulnerability in UNACEV2.dll (ACE format handler) allows an attacker to bypass directory restrictions by embedding absolute paths in the filename field; extraction of a malicious archive with crafted filenames ignores the target folder parameter, enabling arbitrary file write to the filesystem.

Summary generated and translated by AI from the official description.
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Check Point Software Technologies Ltd. · WinRAR
public PoCs found24
githubgithub.com/WyAtu/CVE-2018-20250492githubgithub.com/QAX-A-Team/CVE-2018-2025026githubgithub.com/easis/CVE-2018-20250-WinRAR-ACE21githubgithub.com/arkangel-dev/CVE-2018-20250-WINRAR-ACE-GUI7githubgithub.com/Ektoplasma/ezwinrar2githubgithub.com/STP5940/CVE-2018-202502githubgithub.com/technicaldada/hack-winrar1githubgithub.com/eastmountyxz/CVE-2018-20250-WinRAR1githubgithub.com/H4xl0r/WinRar_ACE_exploit_CVE-2018-202500githubgithub.com/lxg5763/cve-2018-202500githubgithub.com/tzwlhack/CVE-2018-202500githubgithub.com/zeronohacker/CVE-2018-202500githubgithub.com/tannlh/CVE-2018-202500githubgithub.com/LamSonBinh/CVE-2018-202500githubgithub.com/nmweizi/CVE-2018-20250-poc-winrar0githubgithub.com/blunden/UNACEV2.DLL-CVE-2018-202500githubgithub.com/AeolusTF/CVE-2018-202500githubgithub.com/joydragon/Detect-CVE-2018-202500githubgithub.com/likekabin/CVE-2018-202500exploitdbwww.exploit-db.com/exploits/46552unverifiedcve_referencewww.exploit-db.com/exploits/46552/unverifiedcve_referencewww.exploit-db.com/exploits/46756/unverifiedexploitdbwww.exploit-db.com/exploits/46756unverifiedcve_referencepacketstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/152618/RARLAB-WinRAR-ACE-Format-Input-Validation-Remote-Code-Execution.htmlhttps://github.com/blau72/CVE-2018-20250-WinRAR-ACEhttps://research.checkpoint.com/extracting-code-execution-from-winrar/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-20250https://www.exploit-db.com/exploits/46552/https://www.exploit-db.com/exploits/46756/https://www.win-rar.com/whatsnew.htmlhttp://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_acehttp://www.securityfocus.com/bid/106948