Recently, a high-risk security vulnerability in the WinRAR application was discovered, which can be exploited by attackers to achieve remote code execution on Windows systems.
Annotated as CVE-2023-40477 (CVSS score: 7.8), the vulnerability (CVE-2023-40477) exists in the processing of recovery volumes due to a lack of proper validation of user-supplied data.
The Zero-Day Initiative (ZDI) said in an announcement: The issue is due to a lack of proper validation of user-supplied data, which could lead to memory accesses past the end of the allocated buffer.
An attacker could exploit this vulnerability to execute code in the context of the current process.
Successful exploitation of this vulnerability requires user interaction, i.e. the target must be lured into visiting a malicious page, or opening a booby-trapped archive file.
A security researcher who goes by the pseudonym goodbyeselene discovered and reported the vulnerability on June 8, 2023. This issue has been fixed in WinRAR 6.23 released on August 2, 2023.
A second problem, "WinRAR could launch a wrong file after the user double-clicked an item in a specially crafted archive" was also fixed in the latest version.
WinRAR officially recommends that users update to the latest version to reduce potential threats.