Back to KEVs

CVE-2023-38831

RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue...

Basic Information

CVE State
PUBLISHED
Reserved Date
July 25, 2023
Published Date
August 23, 2023
Last Updated
December 18, 2024
Vendor
n/a
Product
n/a
Description
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
Tags
cisa malware ransomware fancy_bear metasploit_scanner

CVSS Scores

CVSS v3.1

7.8 - HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2023-08-24 00:00:00 UTC) Source
Seen in APT Campaigns
Yes (added 2022-02-01 00:00:00 UTC) (Fancy Bear) Source
Proof of Concept Available
Yes (added 2023-12-12 14:54:30 UTC) Source
Used in Malware
Yes (added 2023-08-24 00:00:00 UTC) Source

References

https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/ https://news.ycombinator.com/item?id=37236100 http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

Known Exploited Vulnerability Information

Source Added Date
CISA 2023-08-24 00:00:00 UTC

Recent Mentions

Russian GRU Targeting Western Logistics Entities and Technology Companies

Source: All CISA Advisories • Published: 2025-05-21 12:00:00 UTC

Executive Summary This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue. Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting. This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations. The following authors and co-sealers are releasing this CSA: United States National Security Agency (NSA) United States Federal Bureau of Investigation (FBI) United Kingdom National Cyber Security Centre (NCSC-UK) Germany Federal Intelligence Service (BND) Bundesnachrichtendienst Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz Czech Republic Military Intelligence (VZ)  Vojenské zpravodajství Czech Republic...

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb 2025-04-29 11:01:36 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

winrar_cve_2023_38831

Type: metasploit • Created: Unknown

Metasploit module for CVE-2023-38831

Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-32784

Type: github • Created: 2024-06-25 02:30:31 UTC • Stars: 0

SpamixOfficial/CVE-2023-38831

Type: github • Created: 2023-12-12 14:54:30 UTC • Stars: 1

CVE-2023-38831 Proof-of-concept code

malvika-thakur/CVE-2023-38831

Type: github • Created: 2023-09-21 06:08:30 UTC • Stars: 3

Proof-of-Concept (POC) of CVE-2023-38831 Zero-Day vulnerability in WinRAR

ameerpornillos/CVE-2023-38831-WinRAR-Exploit

Type: github • Created: 2023-09-12 16:01:17 UTC • Stars: 3

Proof of concept (PoC) exploit for WinRAR vulnerability (CVE-2023-38831) vulnerability

Malwareman007/CVE-2023-38831

Type: github • Created: 2023-09-12 14:07:00 UTC • Stars: 9

CVE-2023-38831 WinRaR Exploit Generator

xaitax/WinRAR-CVE-2023-38831

Type: github • Created: 2023-09-03 21:14:05 UTC • Stars: 12

This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, a script is executed, leading to code execution.

Mich-ele/CVE-2023-38831-winrar

Type: github • Created: 2023-09-01 16:45:42 UTC • Stars: 3

CVE-2023-38831 winrar exploit builder

MorDavid/CVE-2023-38831-Winrar-Exploit-Generator-POC

Type: github • Created: 2023-08-30 19:55:11 UTC • Stars: 8

This is a POC for the CVE-2023-3883 exploit targeting WinRAR up to 6.22. Modified some existing internet-sourced POCs by introducing greater dynamism and incorporated additional try-except blocks within the code.

z3r0sw0rd/CVE-2023-38831-PoC

Type: github • Created: 2023-08-30 11:52:23 UTC • Stars: 5

Proof-of-Concept for CVE-2023-38831 Zero-Day vulnerability in WinRAR

ahmed-fa7im/CVE-2023-38831-winrar-expoit-simple-Poc

Type: github • Created: 2023-08-28 22:08:31 UTC • Stars: 11

CVE-2023-38831 winrar exploit generator and get reverse shell

PascalAsch/CVE-2023-38831-KQL

Type: github • Created: 2023-08-28 15:26:14 UTC • Stars: 4

KQL Hunting for WinRAR CVE-2023-38831

knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831

Type: github • Created: 2023-08-28 14:48:22 UTC • Stars: 41

Understanding WinRAR Code Execution Vulnerability (CVE-2023-38831)

Maalfer/CVE-2023-38831_ReverseShell_Winrar-RCE

Type: github • Created: 2023-08-28 08:56:16 UTC • Stars: 22

Pasos necesarios para obtener una reverse shell explotando la vulnerabilidad de winrar CVE-2023-38831 en versiones anteriores a 6.23.

HDCE-inc/CVE-2023-38831

Type: github • Created: 2023-08-28 04:56:10 UTC • Stars: 71

CVE-2023-38831 PoC (Proof Of Concept)

ignis-sec/CVE-2023-38831-RaRCE

Type: github • Created: 2023-08-27 21:49:37 UTC • Stars: 115

An easy to install and easy to run tool for generating exploit payloads for CVE-2023-38831, WinRAR RCE before versions 6.23

IR-HuntGuardians/CVE-2023-38831-HUNT

Type: github • Created: 2023-08-27 08:42:24 UTC • Stars: 2

b1tg/CVE-2023-38831-winrar-exploit

Type: github • Created: 2023-08-25 09:44:08 UTC • Stars: 788

CVE-2023-38831 winrar exploit generator

BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc

Type: github • Created: 2023-08-24 16:03:07 UTC • Stars: 91

lazy way to create CVE-2023-38831 winrar file for testing

Timeline

  • Used in Fancy Bear APT Campaign

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Metasploit