{"id":6273,"date":"2025-08-20T05:04:10","date_gmt":"2025-08-20T05:04:10","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/20\/zero-day-exploit-in-winrar-file-html\/"},"modified":"2025-08-20T05:04:10","modified_gmt":"2025-08-20T05:04:10","slug":"zero-day-exploit-in-winrar-file-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/20\/zero-day-exploit-in-winrar-file-html\/","title":{"rendered":"Zero-Day Exploit in WinRAR File"},"content":{"rendered":"\n<div>Zero-Day Exploit in WinRAR File<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A zero-day vulnerability in WinRAR is <a href=\"https:\/\/arstechnica.com\/security\/2025\/08\/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups\/\">being exploited<\/a> by at least two Russian criminal groups:<\/p>\n<blockquote>\n<p>The vulnerability seemed to have super Windows powers. It abused <a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-fscc\/c54dec26-1551-4d3a-a0ea-4fa40f848eb3\">alternate data streams<\/a>, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.<\/p>\n<\/blockquote>\n<p>More details in the article.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/08\/zero-day-exploit-in-winrar-file.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zero-Day Exploit in WinRAR File A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups: The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,1264,258,317,1,517],"tags":[87],"class_list":["post-6273","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-exploits","category-malware","category-russia","category-uncategorized","category-zero-day","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6273"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6273"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6273\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}