← back
CVE-2023-38831

CVE-2023-38831

CVSS 7.8 HIGHEPSS 97.8%● KEVCWE-351
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.8EPSS 97.8%KEV simPoC públicaNuclei Metasploit simPatch
Lifecycle
23 Aug 2023Metasploit module available
23 Aug 2023Published on NVD
24 Aug 2023Active exploitation (CISA KEV)
24 Aug 2023Public PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

WinRAR before version 6.23 has a flaw where opening what looks like a harmless file (like a photo) inside a ZIP archive can actually run malicious code hidden in a folder with the same name. This vulnerability was actively exploited by attackers in 2023.

Technical detail

A path traversal vulnerability in WinRAR's ZIP extraction logic allows arbitrary code execution when a user attempts to view a benign file that shares a name with a malicious folder within the archive. The vulnerability exploits improper handling of same-named files and directories during extraction, enabling attackers to execute arbitrary code with user privileges. This CVE was actively exploited in the wild between April and October 2023.

Summary generated and translated by AI from the official description.
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found59
githubgithub.com/b1tg/CVE-2023-38831-winrar-exploit785githubgithub.com/Garck3h/cve-2023-38831128githubgithub.com/ignis-sec/CVE-2023-38831-RaRCE114githubgithub.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc91githubgithub.com/HDCE-inc/CVE-2023-3883190githubgithub.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-3883140githubgithub.com/Maalfer/CVE-2023-38831_ReverseShell_Winrar-RCE22githubgithub.com/xaitax/WinRAR-CVE-2023-3883118githubgithub.com/MorDavid/CVE-2023-38831-Winrar-Exploit-Generator-POC13githubgithub.com/ahmed-fa7im/CVE-2023-38831-winrar-expoit-simple-Poc11githubgithub.com/Malwareman007/CVE-2023-388319githubgithub.com/youmulijiang/evil-winrar9githubgithub.com/z3r0sw0rd/CVE-2023-38831-PoC6githubgithub.com/UnHackerEnCapital/PDFernetRemotelo6githubgithub.com/PascalAsch/CVE-2023-38831-KQL4githubgithub.com/xk-mt/WinRAR-Vulnerability-recurrence-tutorial4githubgithub.com/Mich-ele/CVE-2023-38831-winrar3githubgithub.com/malvika-thakur/CVE-2023-388313githubgithub.com/RonF98/CVE-2023-38831-POC3githubgithub.com/kuyrathdaro/cve-2023-388313githubgithub.com/akhomlyuk/cve-2023-388313githubgithub.com/ameerpornillos/CVE-2023-38831-WinRAR-Exploit3githubgithub.com/r1yaz/winDED2githubgithub.com/IR-HuntGuardians/CVE-2023-38831-HUNT2githubgithub.com/MaorBuskila/Windows-X64-RAT2githubgithub.com/yezzfusl/cve_2023_38831_scanner1githubgithub.com/thegr1ffyn/CVE-2023-388311githubgithub.com/Ben1B3astt/CVE-2023-38831_ReverseShell_Winrar1githubgithub.com/ruycr4ft/CVE-2023-388311githubgithub.com/s4m98/winrar-cve-2023-38831-poc-gen1githubgithub.com/SpamixOfficial/CVE-2023-388311githubgithub.com/technicalcorp0/CVE-2023-38831-Exploit1githubgithub.com/olowostandard1/CVE-2023-38831-WinRAR-Vulnerability-Analysis1githubgithub.com/sudo-py-dev/CVE-2023-388310githubgithub.com/lightningspeed221/Winrar-Exploit-CVE-2023-388310githubgithub.com/ngothienan/CVE-2023-388310githubgithub.com/GOTonyGO/CVE-2023-38831-winrar0githubgithub.com/solomon12354/VolleyballSquid-----CVE-2023-38831-and-Bypass-UAC0githubgithub.com/RomainBayle08/CVE-2023-388310githubgithub.com/imbyter/imbyter-WinRAR_CVE-2023-388310githubgithub.com/Fa1c0n35/CVE-2023-38831-winrar-exploit0githubgithub.com/Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-327840githubgithub.com/khanhtranngoccva/cve-2023-38831-poc0githubgithub.com/asepsaepdin/CVE-2023-388310githubgithub.com/MyStuffYT/CVE-2023-38831-POC0githubgithub.com/FirFirdaus/CVE-2023-388310githubgithub.com/ra3edAJ/LAB-DFIR-cve-2023-388310githubgithub.com/ML-K-eng/CVE-2023-38831-Exploit-and-Detection0githubgithub.com/idkwastaken/CVE-2023-388310githubgithub.com/VictoriousKnight/CVE-2023-38831_Exploit0githubgithub.com/sh770/CVE-2023-388310githubgithub.com/Tolu12wani/Demonstration-of-CVE-2023-38831-via-Reverse-Shell-Execution0githubgithub.com/yangdayyy/cve-2023-388310githubgithub.com/anelya0333/Exploiting-CVE-2023-388310githubgithub.com/mishra0230/CVE-2023-388310githubgithub.com/Nielk74/CVE-2023-388310githubgithub.com/kehrijksen/CVE-2023-388310githubgithub.com/h3xecute/SideCopy-Exploits-CVE-2023-388310cve_referencepacketstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.htmlhttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/https://news.ycombinator.com/item?id=37236100https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38831https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/