CVE-2023-38831 · RARLAB WinRAR before 6.23

01 · The Real Story

This is a booby-trapped gift bag: the label says photo, but opening it also fires the hidden device tucked behind it

CVE-2023-38831 is a WinRAR code-execution bug in Windows builds before 6.23. A crafted ZIP can contain a benign-looking file and a same-named folder carrying script or executable content; when the user tries to open the harmless-looking file from inside WinRAR, the hidden payload can get launched instead. In practice, attackers used it to disguise .cmd, .bat, and other launcher content as images or documents.

The vendor's 7.8 HIGH baseline is directionally right, but it undersells the operational reality that this bug was *actually exploited in the wild*, landed in CISA KEV, and quickly got public exploit generators. At the same time, it is not a network-reachable server bug: it needs archive delivery plus a user click on a Windows endpoint, which keeps it out of CRITICAL despite the ugly impact once it lands.

"KEV-listed and heavily weaponized, but still gated by user interaction on a desktop app"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a weaponized archive

The attacker builds a crafted ZIP using public exploit generators such as the b1tg GitHub PoC or the Rapid7 exploit/windows/fileformat/winrar_cve_2023_38831 module, then delivers it by phishing, forum post, chat attachment, or cloud-share link. This is not self-propagating; the exploit has to be carried to the user as content.

Conditions required:

Target uses WinRAR on Windows
Version is earlier than 6.23
Attacker can get a ZIP file in front of the user

Where this breaks in practice:

Requires a content-delivery channel such as email, chat, drive-share, or web download
Attachment detonation, reputation filtering, and Safe Browsing can block many delivery attempts
If the enterprise standardized on 7-Zip or native Explorer instead of WinRAR, the exploit chain dies here

Detection/coverage: Email gateways and sandboxing can catch known malicious archives; version scanners can flag WinRAR <6.23, but they will not see user-targeted delivery by themselves.

STEP 02

Convince the user to open the decoy

The archive presents a benign-looking file, often an image or document lure, while hiding the real launcher in a same-named directory. Exploitation succeeds when the user opens the decoy from inside WinRAR, satisfying the UI:R requirement in the CVSS vector.

Conditions required:

User opens the archive in WinRAR
User clicks the spoofed benign file

Where this breaks in practice:

User interaction is mandatory
Security-aware users may extract first or avoid opening files directly from archives
Content disarm, attachment previews, and user training reduce but do not eliminate success

Detection/coverage: EDR can often alert on WinRAR.exe spawning cmd.exe, wscript.exe, powershell.exe, or other LOLBins; user-click telemetry is otherwise sparse.

STEP 03

WinRAR expands extra content and Windows resolves the wrong target

Per Google TAG and McAfee's analysis, the bug relies on WinRAR's handling of crafted archives plus Windows ShellExecute behavior around names and extensions. Instead of only opening the innocent file, WinRAR expands extra temporary content from the same-named folder, allowing the hidden script or executable to be processed.

Conditions required:

Archive uses the same-name file/folder trick
WinRAR extracts to a temp path during open
Windows processes the hidden launcher path

Where this breaks in practice:

The malformed archive must be crafted correctly
Some execution-control policies block script hosts or unsigned child processes even after trigger
Application allow-listing can stop the next-stage launcher

Detection/coverage: Behavioral EDR coverage is usually strong here: temporary-directory execution, suspicious child processes, and script-host launches are common detection points.

STEP 04

Run payload and establish foothold

Observed campaigns used the bug to launch malware such as DarkMe, GuLoader, and Remcos RAT, and later state-backed actors reused the same path for targeted phishing. Impact is endpoint compromise with user-level code execution first, then whatever follow-on access the payload can obtain on that host.

Conditions required:

Payload execution is not blocked by EDR or application control
User context has access to interesting data or credentials

Where this breaks in practice:

Blast radius starts at one endpoint, not the whole network
Modern EDR frequently catches post-exploitation behavior even if the initial trigger succeeded
Least privilege limits immediate damage if the user lacks admin rights

Detection/coverage: Malware families used in the wild are broadly detectable by EDR and network telemetry; retro-hunting for WinRAR.exe child processes is effective.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Confirmed exploited. Group-IB says exploitation started by April 2023 against traders, and Google TAG later observed multiple government-backed actors reusing it.
KEV status	Yes. CISA KEV lists it as `RARLAB WinRAR Code Execution Vulnerability`, added on 2023-08-24 with a federal due date of 2023-09-14.
Proof-of-concept availability	Public and mature. Google TAG noted public GitHub exploit generators appeared within hours of disclosure, and Rapid7 published a Metasploit file-format module.
EPSS	0.93664 from the user-provided intel, which is extremely high for defender prioritization. FIRST publishes a percentile alongside EPSS, but that percentile was not independently retrieved in this pass.
CVSS vector readout	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` means easy once delivered, no prior privileges, but requires a user click and is not directly network reachable.
Affected versions	WinRAR for Windows before `6.23`. NVD lists affected CPE versions up to but excluding `6.23`.
Fixed versions	Patched in `6.23`; RARLAB says the fix landed in 6.23 beta on 2023-07-20 and 6.23 final on 2023-08-02. There are no meaningful distro backports to track because this is a Windows desktop application.
Scanning and exposure reality	Shodan/Censys/FOFA are basically irrelevant. This is not an internet-facing service problem; exposure lives in endpoint software inventory such as SCCM, Intune, EDR, or uninstall registry data.
Disclosure and reporting	Disclosed 2023-08-23. Reported by Andrey Polovinkin / Group-IB Threat Intelligence to RARLAB.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (8.6/10)

The decisive factor is active exploitation at scale, not the raw CVSS math. KEV listing, public weaponization, and repeated use by both crimeware and state-backed actors outweigh the desktop-only delivery model, but the mandatory user interaction keeps this below CRITICAL.

HIGH Active exploitation and public weaponization assessment

HIGH Affected version cutoff at `6.23`

MEDIUM Enterprise prevalence in your environment versus alternative archivers

Why this verdict

Upward pressure: KEV + real abuse. This is not hypothetical; it was exploited as a 0-day and later appeared in CISA KEV, which materially raises operational priority over a generic AV:L/UI:R desktop bug.
Upward pressure: public exploit chain. Public GitHub generators and a Metasploit module lower attacker cost and make copycat campaigns cheap.
Downward pressure: attacker still needs delivery and a click. This requires phishing, download lures, or another content channel plus user interaction, so it is not equivalent to an unauthenticated network service RCE.
Downward pressure: reachability is narrower than CVSS panic suggests. It only matters on Windows endpoints running WinRAR <6.23; enterprises standardized on 7-Zip, native Explorer, or fully patched WinRAR have zero exposure.
Downward pressure: blast radius starts per-host. Initial execution is typically in the current user's context, and EDR or application control often has a second chance to stop payload execution.

Why not higher?

It is not a remotely reachable infrastructure bug and it does not let an attacker compromise hosts without a delivery channel and user action. In real deployments, that means this vulnerability usually rides on top of phishing or another initial-access stage rather than replacing it.

Why not lower?

Dropping this to MEDIUM would ignore the part that matters most to defenders: *attackers actually used it*, KEV tracked it, and public exploit tooling made it easy to reproduce. A UI-required desktop bug can still be top-tier patch work when it becomes a reliable malware delivery primitive on large Windows fleets.

05 · Compensating Control

What to do — in priority order.

Block WinRAR child-process execution — Use EDR or application control to alert or deny WinRAR.exe spawning cmd.exe, powershell.exe, wscript.exe, cscript.exe, mshta.exe, or rundll32.exe. Because this verdict is HIGH, deploy within 30 days; however, because there is KEV-listed active exploitation, apply this immediately, within hours where patching cannot happen the same day.
Hunt and remove WinRAR <6.23 — Use endpoint inventory, uninstall registry keys, and file-version checks to find all vulnerable WinRAR installs and either upgrade or remove them. For a HIGH finding the baseline deadline is within 30 days, but active exploitation overrides that to immediately, within hours for internet-exposed users, high-risk departments, and shared admin workstations.
Quarantine suspicious ZIP lures — Tune secure email, web, and collaboration gateways to detonate or quarantine ZIP archives from untrusted senders, especially those containing image/document lures with script content. This is a same-day mitigation move when immediate upgrade coverage is incomplete.
Restrict script hosts and LOLBins — Apply WDAC, AppLocker, ASR, or equivalent controls to cut off the common second stage even if the archive opens. Enforce on high-risk user populations first and complete rollout within 30 days, or within hours if those groups are actively targeted.

What doesn't work

A WAF does nothing here because the vulnerable surface is a local desktop archiver, not a web app.
Network perimeter scanning will not find exposure because this is endpoint software inventory, not an open port problem.
MFA helps downstream account abuse but does not stop the initial local code execution on the endpoint.
Generic anti-phishing training alone is not enough; public exploit kits and realistic document lures still get clicks.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your EDR/management tool in a remote PowerShell session. Example: powershell.exe -ExecutionPolicy Bypass -File .\check-winrar-cve-2023-38831.ps1; no admin rights are strictly required, but local admin helps if you want consistent access to install paths and uninstall registry data.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-winrar-cve-2023-38831.ps1

# Detect WinRAR versions vulnerable to CVE-2023-38831

# Outputs one of: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$patchedVersion = [version]'6.23'

function Get-WinRARVersionFromExe {
    param([string]$Path)
    if (Test-Path $Path) {
        try {
            $item = Get-Item $Path
            if ($item.VersionInfo -and $item.VersionInfo.ProductVersion) {
                return [version]($item.VersionInfo.ProductVersion -replace '[^0-9\.]','')
            }
        } catch {}
    }
    return $null
}

function Get-WinRARVersionFromRegistry {
    $keys = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    foreach ($k in $keys) {
        try {
            $apps = Get-ItemProperty $k
            foreach ($app in $apps) {
                if ($app.DisplayName -match '^WinRAR(\s|$)') {
                    $dv = $app.DisplayVersion
                    if ($dv) {
                        try {
                            return [version]($dv -replace '[^0-9\.]','')
                        } catch {}
                    }
                }
            }
        } catch {}
    }
    return $null
}

$paths = @(
    "$env:ProgramFiles\WinRAR\WinRAR.exe",
    "$env:ProgramFiles(x86)\WinRAR\WinRAR.exe",
    "$env:LocalAppData\Programs\WinRAR\WinRAR.exe"
)

$detected = @()
foreach ($p in $paths) {
    $v = Get-WinRARVersionFromExe -Path $p
    if ($v) { $detected += $v }
}

$regv = Get-WinRARVersionFromRegistry
if ($regv) { $detected += $regv }

if (-not $detected -or $detected.Count -eq 0) {
    Write-Output 'UNKNOWN: WinRAR not found via common paths or uninstall registry keys.'
    Write-Output 'UNKNOWN'
    exit 2
}

$best = $detected | Sort-Object -Descending | Select-Object -First 1

if ($best -lt $patchedVersion) {
    Write-Output ("Detected WinRAR version: {0}" -f $best)
    Write-Output 'VULNERABLE'
    exit 1
} else {
    Write-Output ("Detected WinRAR version: {0}" -f $best)
    Write-Output 'PATCHED'
    exit 0
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a user-endpoint malware delivery bug with proven attacker demand: pull a fleet-wide inventory of WinRAR, find every install below 6.23, and either upgrade or remove it first on high-risk user groups and shared admin workstations. Because this CVE is KEV-listed and actively exploited, the noisgate mitigation SLA is overridden here: patch / mitigate immediately, within hours; if you cannot patch same-day, block WinRAR.exe child-process execution and quarantine inbound ZIP lures that day. The formal noisgate remediation SLA for this HIGH verdict remains ≤180 days, but anything left unpatched after the first sweep should be tracked as an exception, not normal backlog.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.