Cyber Resilience

CVE-2023-38831

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 23 August 2023

Published
23 August 2023
Modified
31 October 2025
KEV Added
24 August 2023
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9386 99.9th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38831 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Rarlab Winrar. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-2 (Baseline Configuration).

Deeper analysis

RARLAB WinRAR versions prior to 6.23 contain a path-handling flaw that permits arbitrary code execution. When a user opens or previews a seemingly benign file such as a .JPG inside a ZIP archive, the application also processes a folder that shares the same name as the file; any executable content placed inside that folder is executed with the privileges of the user. The vulnerability is tracked as CWE-345 and CWE-351 and carries a CVSS 3.1 score of 7.8.

An attacker can deliver a crafted ZIP archive via email, download, or removable media. Once the recipient attempts to view the innocuous file, the hidden folder contents run automatically, granting the attacker remote code execution on the local system without further user interaction beyond opening the archive.

WinRAR 6.23 and subsequent releases correct the folder-name collision logic. Security advisories and vendor guidance therefore recommend immediate upgrade; organizations should also verify that older builds are removed from endpoints and build pipelines.

The issue was exploited in the wild from April through October 2023, including campaigns attributed to government-backed actors that targeted cryptocurrency trading accounts. The current EPSS of 0.9386, near its recorded peak of 0.9395, reflects sustained attacker interest after public disclosure.

EU & UK References

Vulnerability details

RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG…

more

file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

CWE(s)
KEV Date Added
24 August 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rarlab
winrar
≤ 6.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (WinRAR 6.23+) that eliminates the path-traversal flaw allowing code execution from the crafted ZIP.

prevent

Enforces an approved baseline that includes only patched versions of WinRAR, preventing vulnerable instances from remaining on systems.

preventdetect

Malicious-code protection mechanisms can block or alert on the executable payload that is automatically launched when the benign file is viewed inside the archive.

References