WinRAR Vulnerability Allows Bypass of Windows ‘Mark of the Web’ Protections

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

WinRAR Vulnerability Allows Bypass of Windows ‘Mark of the Web’ Protections

Information:

A newly disclosed vulnerability in the popular file archiving tool WinRAR could allow attackers to bypass a key Windows security feature and execute arbitrary code on victims’ machines. This vulnerability specifically targets Windows’ Mark of the Web (MotW) a built-in protection mechanism that flags downloaded files as potentially unsafe. MotW uses metadata to help Windows determine whether a file originated from the internet, triggering security warnings when users attempt to open such files.

Incident:

The security issue received a medium severity score of 6.8. The flaw exploits a behavior in older versions of WinRAR specifically, any version prior to 7.11 where specially crafted symbolic links (symlinks) embedded within archive files can be used to point to executable files. When a user opens such a malicious archive, the symlinked file can run without triggering the usual Windows security warning associated with files downloaded from the internet.

This bypass of the MotW system is particularly dangerous because it removes one of Windows' core defenses against executing untrusted code. In a typical scenario, Windows would display a warning dialog when a user tries to run a file tagged with MotW, giving them a chance to avoid launching potentially harmful software.

With this vulnerability, that warning is effectively skipped. Threat actors, including state-sponsored ones, have exploited MotW bypasses in the past to deliver various malware without triggering the security warning.

Recently, Russian hackers leveraged such a vulnerability in the 7-Zip archiver, which did not propagate the MotW when double archiving (archiving a file within another one) to run the Smokeloader malware dropper.

Recommendation:

Users are strongly advised to update to WinRAR version 7.11 or later, which includes a fix for this vulnerability. Additionally, caution should always be taken when handling archive files from untrusted sources especially on systems where administrative access is granted.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2024-2631	20/3/2025	28/3/2025	Google Chrome prior to 123.0.6312.58	User Interface (UI	4.3	Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page.	Upgrade to version 123.0.6312.58	https://nvd.nist.gov/vuln/detail/cve-2024-2631
2	CVE-2024-5739	6/12/2024	28/3/2025	LINE client for iOS versions below 14.9.0	Universal XSS	6.1	The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app browser. The in-app browser is usually opened by tapping on URLs contained in chat messages, and for the attack to be successful, the victim must trigger a click event on a malicious iframe. If an iframe embedded in any website can be controlled by an attacker, this vulnerability could be exploited to capture or alter content displayed in the top frame, as well as user session information.	Upgrade to version 14.9.0	https://nvd.nist.gov/vuln/detail/CVE-2024-5739
3	CVE-2024-21111	16/4/2024	27/3/2025	Oracle VM VirtualBox Prior to 7.0.16	privilege escalation	7.8	Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.	Upgrade to version 7.0.16	https://nvd.nist.gov/vuln/detail/cve-2024-21111
4	CVE-2024-44276	17/3/2025	28/3/2025	iOS versions below 18.2 and iPadOS versions below 18.2	remote attacker	7.3	This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in iOS 18.2 and iPadOS 18.2. A user in a privileged network position may be able to leak sensitive information.	Upgrade to version iOS 18.2 / iPadOS 18.2	https://nvd.nist.gov/vuln/detail/CVE-2024-44276
5	CVE-2024-3864	16/4/2024	28/3/2025	Firefox versions below 125 Firefox ESR versions below 115.10 Thunderbird versions below 115.10	Remote Code Execution	8.1	Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. Stored Cross-Site Scripting attacks	Firefox Upgrade to version 125 Firefox ESR Upgrade to version 115.10 Thunderbird Upgrade to version 115.10	https://nvd.nist.gov/vuln/detail/cve-2024-3864

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	Veeam RCE	20/03/2025	Remote Code Execution (RCE)	Veeam has released patches to address a critical security vulnerability, CVE-2025-23120, in its Backup & Replication software that affects domain-connected installations of Windows. The vulnerability addresses a deserialization issue in the software’s .NET classes that could allow an attacker in a domain to execute arbitrary code on the backup server. While Veeam previously fixed this issue by blocking malicious classes or objects, the research team noted that there were other attack vectors that could have been exploited. This vulnerability only affects domain-connected installations, and any user in the domain could exploit it to gain access to the server.	Upgrade to version 12.3.1 (build 12.3.1.1139) Use multi-factor authentication (MFA)

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

Veeam RCE

20/03/2025

Remote Code Execution (RCE)

Veeam has released patches to address a critical security vulnerability, CVE-2025-23120, in its Backup & Replication software that affects domain-connected installations of Windows. The vulnerability addresses a deserialization issue in the software’s .NET classes that could allow an attacker in a domain to execute arbitrary code on the backup server. While Veeam previously fixed this issue by blocking malicious classes or objects, the research team noted that there were other attack vectors that could have been exploited. This vulnerability only affects domain-connected installations, and any user in the domain could exploit it to gain access to the server.

Upgrade to version 12.3.1 (build 12.3.1.1139)
Use multi-factor authentication (MFA)

Ref: https://www.bleepingcomputer.com/news/security/veeam-rce-bug-lets-domain-users-hack-backup-servers-patch-now/

09 April 2025

Viewed 59 time

WinRAR Vulnerability Allows Bypass of Windows ‘Mark of the Web’ Protections

WinRAR Vulnerability Allows Bypass of Windows ‘Mark of the Web’ Protections

INET MANAGED SERVICES CO., LTD.

Sales Department