Experts have discovered a vulnerability in the WinRAR archiver that allows attackers to bypass the Mark of the Web (MotW), a Windows protection mechanism, and deploy malware on victims’ computers.
Image Source: Kevin Ku / unsplash.com
The vulnerability was discovered by Japanese researcher Shimamine Taihei from Mitsui Bussan Secure Directions — it was assigned the number CVE-2025-31334 and the threat level was 6.8 out of 10 — medium. MotW is a security tool that displays a warning when downloading an executable file from the Internet. The built-in Windows mechanism notifies users that files downloaded from the Internet may be dangerous, but there was a way to bypass this warning if the file was in an archive format.
«If a symbolic link pointing to an executable file was opened from the WinRAR shell, the Mark of the Web executable file data was ignored,” the archiver’s website explains. A symbolic link (or Symlink) is a shortcut or alias to a file or folder. A symbolic link is not a copy of a file, but only a pointer to it. A hacker could create a symbolic link pointing to an executable file with MotW, and when it was opened, the MotW warning was not displayed. The vulnerability was discovered in all older versions of WinRAR and was fixed in version 7.11, which is now available for download.