IRONSMITHINTEL
HIGHCVSS7.8
|
Actively Exploited
|CVE-2023-40477|Auth: none — opening/previewing an archive is sufficient|Reboot: not required|Est. 5 minutes (no reboot required)|Manual only

WinRAR < 6.23 — RCE

WinRAR has an out-of-bounds write vulnerability in recovery volume processing, allowing code execution when extracting a malicious archive. Update to WinRAR 6.23 — widely exploited by APTs to deliver malware via weaponised archive files.

Published Aug 17, 2023 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who can get a user to open or preview a malicious RAR archive can execute code with the user's privileges. Malicious archives can be distributed via email, downloads, or even embedded in ZIP files (which Windows opens natively, masking the inner RAR from initial scanning).

How the attack worksNo clicks needed

WinRAR has an out-of-bounds write vulnerability when processing specially crafted recovery volumes in RAR archives. Processing a malicious .rar file (which can be triggered by opening the file or navigating to it in the WinRAR file manager) causes memory corruption that leads to code execution.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows users with WinRAR
IT Administrators
Desktop Support
Running WinRAR prior to 6.23

Affected OS versions

Windows 10Windows 11Windows Server 2019Windows Server 2022
Fixed inWinRAR 6.23
Real-world incidentsWhat we've seen

Zero Day Initiative disclosed CVE-2023-40477 in August 2023. Multiple APT groups (including Sandworm/APT28 and several financial crime groups) were observed distributing malicious WinRAR archives exploiting this and related CVEs (CVE-2023-38831). The exploit was delivered via spear-phishing emails with RAR attachments appearing to be financial documents. WinRAR has hundreds of millions of users and many enterprise deployments.

How to patch

Manual remediation steps

5 minutes (no reboot required)

Check WinRAR Version

# Find WinRAR installations:
$winrarPaths = @(
  "C:\Program Files\WinRAR\WinRAR.exe",
  "C:\Program Files (x86)\WinRAR\WinRAR.exe"
)
foreach ($path in $winrarPaths) {
  if (Test-Path $path) {
    $version = (Get-Item $path).VersionInfo.FileVersion
    Write-Host "Found WinRAR $version at $path"
  }
}
# Vulnerable if older than 6.23

Update WinRAR

# Via winget:
winget upgrade RARLab.WinRAR

# Or download directly from https://www.rarlab.com/download.htm
# Select: WinRAR x64 (64 bit) 6.23 or later

Enterprise Inventory — Find All WinRAR Installations

# Scan for WinRAR across all program directories
Get-ChildItem "C:\Program Files","C:\Program Files (x86)" -Recurse `
  -Filter "WinRAR.exe" -ErrorAction SilentlyContinue |
  Select-Object FullName, @{N='Version';E={ $_.VersionInfo.FileVersion }}

# Or check Add/Remove Programs:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver" `
  -ErrorAction SilentlyContinue | Select-Object DisplayVersion

Verify

(Get-Item "C:\Program Files\WinRAR\WinRAR.exe").VersionInfo.FileVersion
# Must show 6.23 or later
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-40477NVD