WinRAR MotW bypass flaw fixed, update ASAP (CVE-2025-31334)

WinRAR users, upgrade your software as soon as possible: a vulnerability (CVE-2025-31334) that could allow attackers to bypass Windows’ Mark of the Web (MotW) security warning and execute arbitrary code on your machine has been fixed in version 7.11.

About CVE-2025-31334

WinRAR is an extremely popular file archiver utility for Windows. It can create and view archives in RAR or ZIP file formats, as well as “unpack” archive file in other formats (ISO, JAR, TAR, 7zm CAB, etc.) and EXE (executable) files containing those archive formats.

CVE-2025-31334 is an issue in how WinRAR handles symbolic links (symlinks), which are essentially pointers to another file or directory. The vulnerability allows attackers to craft an archive file with a symlink that points to an executable file, but if that symlink is started from the WinRAR shell, the executable Mark of the Web data is ignored.

This means that users opening such a file they downloaded from the internet won’t be warned about its potential harmful nature and asked to confirm that they want to run the EXE file – the file will run when started.

Attackers love MotW bypass flaws

WinRAR is used by 500+ million users around the world, and threat actors regularly exploit WinRAR flaws to deliver malware.

Vulnerabilities that allow attackers to bypass MotW are also beloved by threat actors. Earlier this year, Russian threat actors exploited a MotW bypass vulnerability in 7-Zip – another popular archiver tool – to deliver malware to Ukrainian entities.

CVE-2025-31334 was reported by Taihei Shimamine of Mitsui Bussan Secure Directions, and there is currently no mention of it being leveraged by attackers.

The flaw is considered to be of medium severity, primarily because attackers would need to have high privileges to exploit it, and this might prove to be a considerable obstacle.

Nevertheless, WinRAR users should make the effort to update to the fixed version 7.11 as, unfortunately, the utility does not have auto-update functionality.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!