CVE-2023-38831

Think of a ZIP file as a backpack that contains items. This bug happens when the backpack contains an innocent-looking file (like a normal .JPG) and also a folder with the same name; when you try to “just view” the picture, WinRAR ends up processing the folder’s contents too, which can include harmful code. So the act of opening/viewing a harmless file becomes the trigger.

This matters to you if you use or run RARLAB WinRAR / rarlab winrar on Windows (versions before 6.23). If your business relies on receiving, downloading, or handling ZIP files—through email, shared drives, vendors, or customer uploads—this is relevant. The problem is not limited to niche enterprise systems; it targets the widely used WinRAR app.

This is RED because it’s actively being exploited in the real world (“itw”), including by ransomware (CISA KEV indicates known exploitation). The risk is especially high because attackers can trigger it through ordinary ZIP files, and a public exploit is available. You should treat this as an urgent patch: update as soon as possible, ideally immediately.

1. Update WinRAR to version 6.23 or newer on all Windows machines that have it installed.
2. If you can’t update right away, stop using WinRAR to open ZIPs from untrusted sources and ask your IT person for a temporary workaround (but updating is the real fix).
3. Check whether any recent suspicious ZIPs were opened with WinRAR, especially around the period before the update.