What Is the Vulnerability
A vulnerability in WinRAR’s handling of recovery volumes (REV files) allows attackers to execute arbitrary code on the user’s system. When a WinRAR user opens a maliciously crafted RAR archive containing a malformed recovery volume, the flawed parsing logic triggers code execution. The flaw was previously partially addressed for the RAR3 format but also affects the RAR5 format. WinRAR lacks automatic update functionality, making manual patching the only option.
Versions Affected
- WinRAR — all versions prior to 7.23
WinRAR is a widely used archiving utility installed on millions of Windows systems globally. The vulnerability affects both consumer and enterprise deployments.
Exploited?
No confirmed active exploitation in the wild at time of publication. The vulnerability was responsibly disclosed and patched in WinRAR 7.23. However, given the widespread deployment of WinRAR and the historical pattern of archive-parsing vulnerabilities being weaponised (e.g., CVE-2023-40477, CVE-2025-61374), exploitation attempts are expected once technical details circulate.
Fix
WinRAR has released version 7.23 which addresses the recovery volume parsing vulnerability. Because WinRAR does not include automatic update functionality, users and administrators must manually download and install the update.
- Primary fix: Download and install WinRAR 7.23 from the official website (rarlab.com).
- Enterprise workaround: Use patch management tools such as Zoho Patch Manager or PatchMyPC to deploy the update across managed systems.
Recommendations
- Immediately update WinRAR to 7.23 on all systems — personal and enterprise.
- Enterprise environments: Use patch management tools to deploy the update at scale since WinRAR lacks Group Policy support for auto-update.
- Consider alternatives: Evaluate archiving tools that support automatic updates, such as 7-Zip, Bandizip, or PeaZip, for long-term vulnerability management.
- User awareness: Remind users not to open RAR archives from untrusted sources, including email attachments and download sites.
References
- Security.nl: WinRAR-lek laat aanvaller code op systeem van gebruikers uitvoeren
- WinRAR 7.23 changelog (rarlab.com)
- European Vulnerability Database reference
Part of the Vulnerability Intelligence series on threat-modeling.com. July 5, 2026 Report.
