SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2023-38831

CVE-2023-38831: WinRAR ZIP Archive RCE Vulnerability

CVE-2023-38831 is an RCE vulnerability in RARLAB WinRAR that lets attackers execute code when users view files in ZIP archives. Exploited in the wild from April to October 2023, this article covers technical details and fixes.

Updated:

CVE-2023-38831 Overview

RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue arises because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Critical Impact

This vulnerability leads to potential arbitrary code execution, effectively compromising system integrity and data confidentiality.

Affected Products

  • RARLAB WinRAR lower than version 6.23

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to RARLAB
  • Not Available - CVE CVE-2023-38831 assigned
  • Not Available - RARLAB releases security patch
  • 2023-08-23 - CVE CVE-2023-38831 published to NVD
  • 2025-10-31 - Last updated in NVD database

Technical Details for CVE-2023-38831

Vulnerability Analysis

The vulnerability exploits a scenario where a ZIP archive contains both a benign file and a folder with the same name. When the user attempts to view the benign file, the folder contents, potentially including malicious executables, are processed instead, allowing code execution.

Root Cause

The flaw lies in the handling of ZIP archive contents where files and directories share the same name, leading to erroneous processing of the directory contents.

Attack Vector

Local

bash
# Example exploitation code (sanitized)
open_zip('malicious_archive.zip')
click('benign_image.jpg')
# Triggers extraction and execution of malicious code from 'benign_image.jpg/'

Detection Methods for CVE-2023-38831

Indicators of Compromise

  • Unexpected executable files extracted from ZIP archives
  • Processes initiated post viewing ZIP contents
  • Unusual file names in temporary directories

Detection Strategies

Deploy endpoint monitoring to detect anomalous execution flows originating from ZIP operations. Flag instances where the expected benign file triggers additional process activities.

Monitoring Recommendations

Utilize SentinelOne's behavioral tracking capabilities to identify unauthorized code execution profiles and unexpected directory traversals originating from archive file operations.

How to Mitigate CVE-2023-38831

Immediate Actions Required

  • Update WinRAR to version 6.23 or later
  • Enable comprehensive endpoint security monitoring
  • Educate users on safe handling of email attachments and downloads

Patch Information

Ensure all instances of WinRAR are upgraded to version 6.23, where this vulnerability has been patched to prevent any exploitation.

Workarounds

Until patching is completed, avoid opening ZIP archives from unknown sources and employ strict access controls to prevent unauthorized code execution.

bash
# Configuration example for temporary mitigation
chmod -R 700 /path/to/suspect/directories
find /tmp -name '*.zip' -exec rm -f {} \;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne