Home / Threat Intelligence bulletins / WinRAR remote code execution vulnerability

Target Industry

Indiscriminate, opportunistic targeting.


A vulnerability has been identified within WinRAR which allows a threat actor to execute arbitrary code under the context of the current process on Windows systems. This is described as a flaw within the processing of recovery volumes, which results from a lack of proper validation of user-supplied data. This vulnerability is being tracked as CVE-2023-40477 (CVSS score: 7.8).


Successful exploitation of this vulnerability would allow a threat actor to execute code in the context of the current process. For exploitation of this vulnerability to occur, user interaction is required. This is achieved by the user opening a malicious archive file or navigating to a malicious page.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage. Security updates have been released regarding this vulnerability, leaving versions 6.22 and below vulnerable to exploitation.

Affected Products

WinRAR versions 6.22 and below.

Containment, Mitigations & Remediations

Users are advised to upgrade their version of WinRAR to apply the latest security update (6.23) which addresses this vulnerability.

Indicators of Compromise

There are no specific Indicators of Compromise (IoCs) available at the time of writing.

Threat Landscape

WinRAR is a widely used file archiving tool for Windows systems developed by RARLAB’s. Due to the fact that RARLAB’s products have become an integral aspect of business operations, threat actors will continue to exploit the vulnerabilities of these product types in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

T1203 – Exploitation for Client Execution

T1204 – User Execution

Further Information


An Intelligence Terminology Yardstick to showing the likelihood of events