The archive contains a file with a relative path like C:\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exploit.exe .
No complex exploit was needed; the Windows Startup folder handled the execution.
This vulnerability allowed attackers to execute code remotely by simply having a user extract a specially crafted archive. 🛡️ The Vulnerability: CVE-2018-20250 22793.rar
The malware would run automatically the next time the user logged in. 📂 Technical Breakdown
WinRAR failed to properly sanitize these paths, allowing the file to be written outside the intended extraction folder. ⚠️ Security Implications The archive contains a file with a relative
RARLAB removed unacev2.dll entirely to fix the issue.
WinRAR had over 500 million users when the bug was found. ✅ How to Stay Safe Update WinRAR: Ensure you are using version 5.70 or newer . WinRAR had over 500 million users when the bug was found
The file is a well-known proof-of-concept (PoC) archive used to demonstrate a critical vulnerability in WinRAR (tracked as CVE-2018-20250 ).