A newly discovered vulnerability in the popular file archiver WinRAR could allow attackers to bypass Windows’ Mark of the Web (MotW) security warnings and execute malicious code on targeted systems.
The flaw, tracked as CVE-2025-31334, impacts all WinRAR versions except the latest release, version 7.11.
MotW is a security feature in Windows that adds metadata to files downloaded from the Internet. When a user tries to open one of these files—especially executable ones—Windows displays a warning that the file may be unsafe. This helps protect users from potentially harmful content.
However, researchers found that older versions of WinRAR can be tricked into skipping this warning. The vulnerability allows a symbolic link (symlink) to an executable file to bypass the MotW check when opened from the WinRAR interface. A symlink is a special shortcut that points to another file, and in this case, it can lead directly to malware execution without any alert to the user. It’s important to note that creating a symlink on Windows typically requires administrator privileges.
The security flaw has been rated with a medium severity score of 6.8 and has been patched in version 7.11. According to WinRAR’s changelog, the issue was caused by the application ignoring MotW data when launching executables through symlinks:
“If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored.”
The vulnerability was responsibly reported by Shimamine Taihei of Mitsui Bussan Secure Directions via Japan’s Information Technology Promotion Agency (IPA). Japan’s Computer Security Incident Response Team (JPCERT/CC) also helped coordinate the disclosure with WinRAR’s developers.
Interestingly, starting from version 7.10, WinRAR includes an option to remove sensitive information (like download origin or IP address) from the MotW metadata to reduce privacy risks. Still, attackers—including state-sponsored hacking groups—have exploited MotW bypasses in the past. Recently, Russian hackers used a similar flaw in 7-Zip to deploy the Smokeloader malware, bypassing security layers through a technique known as double archiving.
Users are strongly advised to update to WinRAR version 7.11 immediately to avoid potential exploitation. Keeping software up to date is one of the most effective ways to protect against evolving cybersecurity threats.
