WinRAR Flaw Bypasses Windows Mark of the Web Security Alerts
Summary:
A recently discovered vulnerability in WinRAR, tracked as CVE-2025-31334, allows attackers to bypass the Window’s "Mark of the Web" (MotW) security mechanism, which tags files downloaded from the internet as potentially unsafe. This flaw impacts all WinRAR versions prior to 7.11 and enables execution of arbitrary code without triggering the usual security warnings. MotW typically alerts users when opening executable files from untrusted sources, offering them the option to proceed or terminate execution.
Security Officer Comments:
This is the latest vulnerability intended to bypass Window’s MotW protections. We routinely discover threat actors bypassing MotW protections as a means to more easily trick victims into downloading dangerous files. Cybercriminals, and nation-state actors commonly bypass MotW to deliver malware. Most recently, Russian adversaries were taking advantage of a vulnerability in 7-Zip to bypass MotW and deliver SmokeLoader.
While methods to abuse these vulnerabilities typically require social engineering and heavy user interaction, threat actors continue to discover new ways to bypass Window’s protections, and organizations should continue to train users how to spot and avoid common phishing attempts.
Suggested Corrections:
The vulnerability is rated with a medium severity score of 6.8 due to the requirement for high privileges to exploit it. It has been addressed in WinRAR version 7.11, which users are urged to update to immediately, as WinRAR lacks an auto-update feature.
Source:
https://jvn.jp/en/jp/JVN59547048/ (Japanese)
https://www.bleepingcomputer.com/news/security/winrar-flaw-bypasses-windows-mark-of-the-web-security-alerts/
A recently discovered vulnerability in WinRAR, tracked as CVE-2025-31334, allows attackers to bypass the Window’s "Mark of the Web" (MotW) security mechanism, which tags files downloaded from the internet as potentially unsafe. This flaw impacts all WinRAR versions prior to 7.11 and enables execution of arbitrary code without triggering the usual security warnings. MotW typically alerts users when opening executable files from untrusted sources, offering them the option to proceed or terminate execution.
Security Officer Comments:
This is the latest vulnerability intended to bypass Window’s MotW protections. We routinely discover threat actors bypassing MotW protections as a means to more easily trick victims into downloading dangerous files. Cybercriminals, and nation-state actors commonly bypass MotW to deliver malware. Most recently, Russian adversaries were taking advantage of a vulnerability in 7-Zip to bypass MotW and deliver SmokeLoader.
While methods to abuse these vulnerabilities typically require social engineering and heavy user interaction, threat actors continue to discover new ways to bypass Window’s protections, and organizations should continue to train users how to spot and avoid common phishing attempts.
Suggested Corrections:
The vulnerability is rated with a medium severity score of 6.8 due to the requirement for high privileges to exploit it. It has been addressed in WinRAR version 7.11, which users are urged to update to immediately, as WinRAR lacks an auto-update feature.
Source:
https://jvn.jp/en/jp/JVN59547048/ (Japanese)
https://www.bleepingcomputer.com/news/security/winrar-flaw-bypasses-windows-mark-of-the-web-security-alerts/