CVE-2025-31334 - WinRAR “Mark of the Web” Bypass via Symbolic Link Lets Attackers Execute Code

A new, critical flaw—CVE-2025-31334—has been uncovered in WinRAR versions before 7.11. This issue allows attackers to bypass the Windows “Mark of the Web” (MotW) security warning, leading to the silent execution of malicious code. This post will explain how the exploit works, show example code, and provide references for further reading.

What is the “Mark of the Web”?

“Mark of the Web” is a Windows security feature. When you download files from the internet, Windows tags them with a special metadata alternate data stream (Zone.Identifier). If you try to open such a file, Windows warns you that it might be unsafe.

The idea is simple: files from unknown sources shouldn't run without telling you. But if attackers get around this, they can sneak in malware.

What is the Problem?

WinRAR is one of the most used archive utilities on Windows. Before version 7.11, WinRAR did not properly handle the MotW tag when extracting symbolic links that point to executable files.

Here's the core issue:
- An attacker makes a .zip or .rar file containing a symbolic link named, for example, installer.exe.

That symlink points to a malicious EXE somewhere else (could be on a local path or network share).

- The archive is distributed over the internet, picked up by unsuspecting users, or delivered via phishing.
- When a user extracts and opens “installer.exe” using a vulnerable version of WinRAR, Windows skips the familiar warning—no “Are you sure?” prompt—because the MotW tag is not applied to the real target file.

Attack Steps

1. Create a symlink and package it: Using Linux, create a symlink named installer.exe that points to some malicious payload.

Distribute: Send the archive to a victim.

4. Victim opens the symlink in WinRAR 7.10 or older: WinRAR launches the real target without warning.

On Linux

ln -s /path/to/evil.exe installer.exe
zip --symlinks malicious.zip installer.exe

Or for .rar

ln -s /path/to/evil.exe installer.exe
rar a malicious.rar installer.exe

> Note: Windows itself doesn’t support creation of symlinks as easily as Linux. Most attackers use Linux, WSL, or specialized tools to create archives with symlinks.

#### Unpacking/Exploit on Windows

Why Does This Work?

When extracting or opening a symlinked file, WinRAR does not check if the target file has the MotW tag nor does it apply MotW to the target. Windows' security machinery only checks the file you clicked. If it's a link, the real executable escapes the internet warning tag.

This is a logic bug: MotW should “follow” the symlink, but it doesn’t.

What Should You Do?

Update WinRAR!
Rarlab, the makers of WinRAR, fixed this in WinRAR 7.11. Upgrade as soon as possible and urge others to do the same.

Stay Cautious with Archives
Never open executables directly from inside archive programs, especially from untrusted sources.

Official Patch and References

- Vendor Patch Notice: WinRAR Release Notes (7.11)
- NIST NVD: CVE-2025-31334 Record
- WinRAR Download Page

Conclusion

CVE-2025-31334 is an example of how even common tools like WinRAR can have logic flaws with big security consequences. If not patched, attackers can sneak their programs onto your computer—bypassing Windows' normal warnings.

Rule of thumb:

Stay safe!

*This post is exclusive and written in plain language so anyone can understand how the MotW bypass in WinRAR exposes you to real risks. Spread the word!*

Timeline

Published on: 04/03/2025 06:15:42 UTC