Zero-Day WinRAR Vulnerability is Simply a New Attack Vector

In late September, news surfaced of a new zero-day WinRAR vulnerability affecting the latest version (WinRAR 5.21) of the software. If exploited, users would risk not only infecting their computer but also networks to which their computer connects.

WinRAR is a popular file compressing program that has been installed more than 500 million devices around the world. The WinRAR vulnerability was rated with a 9.2 on the Common Vulnerability Scoring System (CVSS). Vulnerabilities with a rating of 7-10 are classed as high severity.

According to the security researcher who claims to have discovered the WinRAR flaw – Mohammad Reza Espargham – “The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction,” in remote code execution (RCE) attacks. Espargham published his proof-of-concept which essentially served as a how to guide to exploit the flaw.

A hacker could exploit the flaw by sending a malicious SFX file via email. SFX files are self-extracting files which extract their own contents. Simply clicking on a malicious SFX file would result in infection.  An attack would be possible if the attacker inserted malicious HTML code into the “Text to display in SFX window” field when creating a new SFX archive.

According to RARLab, the company that developed WinRAR, this is not a vulnerability that only affects WinRar, and as such it is unlikely to be fixed. The company said “A malicious hacker can take any executable, prepend it to archive and distribute to users. This fact alone makes discussing vulnerabilities in SFX archives useless.” RARLab suggested there were far easier ways to infect users of WinRAR than the PoC released by Espargham.

While MalwareBytes initially suggested the Zero-Day WinRAR vulnerability was serious, its original blog post has since been redacted and an apology has been issued to RARLab. Rather than being a zero-day vulnerability, MalwareBytes says it is simply a new attack vector which could be used to infect a computer via any executable file, not just SFX files.

All executable files are potentially dangerous. The files can easily be used by malicious actors to infect computers. It is therefore important for any user to exercise extreme caution and only to run executable files that have come from a reputable source. That applies to EXE files as well as SFX files.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of