Cyber Resilience

CVE-2018-20250

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 05 February 2019

Published
05 February 2019
Modified
31 October 2025
KEV Added
15 February 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9346 99.8th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-20250 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Rarlab Winrar. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

In WinRAR versions prior to and including 5.61, a path traversal vulnerability exists in the handling of the ACE archive format within UNACEV2.dll. By manipulating the filename field with specific patterns, an attacker can cause the extraction routine to ignore the user-specified destination folder and treat the supplied path as absolute, corresponding to CWE-36 and CWE-22.

The flaw can be exploited by an attacker who supplies a crafted ACE archive to a local user. With low attack complexity and no privileges required, successful exploitation allows arbitrary file writes outside the intended extraction directory, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 7.8 score.

Public references document working proof-of-concept code, a Metasploit module, and detailed technical analysis demonstrating remote code execution via malicious archives, confirming the issue has been weaponized in public tooling.

EU & UK References

Vulnerability details

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus…

more

treating the filename as an absolute path.

CWE(s)
KEV Date Added
15 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rarlab
winrar
≤ 5.61

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input (archive filename fields) to reject path traversal sequences before extraction occurs.

preventdetect

Requires automated detection and blocking of malicious code delivered via crafted archive files that attempt unauthorized writes.

preventdetect

Requires integrity verification of software and files to detect unauthorized modifications introduced by malicious archive extraction.

References