The WinRAR Bug That Hid a Malicious Script Behind a Fake Photo
CVE-2023-38831 let a booby-trapped archive execute code when a user clicked what looked like a harmless image file — exploited against trading forums before the technical details were widely known.
WinRAR sits on hundreds of millions of Windows machines, many with automatic update prompts routinely clicked away — exactly the slow-patching install base CVE-2023-38831 was suited to exploit.
What the vulnerability does
The flaw involves how WinRAR handles a specific kind of crafted archive: one built so that a decoy folder shares a name with what appears to be a harmless file inside — a .jpg, for instance. When a user double-clicked the seemingly innocuous file in WinRAR’s preview to view it, the naming trick caused a hidden malicious script to execute instead of the expected image viewer opening the photo. RARLAB shipped a fix in WinRAR 6.23, released August 2, 2023, with the vulnerability formally disclosed and cataloged on August 23, 2023.
Why it mattered
Security researchers found evidence that this technique was already being used in the wild — in campaigns targeting cryptocurrency and stock-trading forums — before the technical details were widely publicized, with malicious archives disguised as trading tools, account statements, or investment documents distributed to forum users. WinRAR’s massive, slow-to-update install base (the application has no built-in auto-update mechanism by default) made it an attractive, durable vector: a single crafted archive could remain effective against unpatched installs for a long time after the fix shipped.
What administrators should do
Because WinRAR doesn’t auto-update, the core remediation guidance emphasized manual action: users and administrators need to actively download and install version 6.23 or later rather than wait for a prompt. CISA added the CVE to its KEV catalog given confirmed active exploitation. Organizations distributing WinRAR internally via software management tools were advised to push the update explicitly rather than rely on end users to do so. Full technical detail is in RARLAB’s release notes and the NVD entry.
This article describes the vulnerability’s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.
Found this useful? Share it.