CVE-2014-125119
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-07-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rarlab | winrar | 4.20 |
| rarlab | winrar | 5.00 |
| rarlab | winrar | 4.11 |
| rarlab | winrar | 5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2014-125119 is a filename spoofing vulnerability in WinRAR's handling of ZIP archives. It occurs because WinRAR displays filenames from the ZIP file's Central Directory but extracts files using names from the Local File Header. This discrepancy allows an attacker to craft a ZIP archive where the displayed filename appears benign (e.g., an image or text file), but the extracted file is actually a malicious executable. Users can be tricked into running malware disguised as harmless files. The vulnerability can be enhanced using the Unicode Right-to-Left Override character to further disguise the true file extension, making the spoofing nearly perfect. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on affected systems. Attackers can deceive users into executing malicious payloads disguised as harmless files, potentially compromising system confidentiality, integrity, and availability. It poses a significant security risk by bypassing file validation mechanisms in WinRAR, allowing malware to be delivered and executed without raising suspicion. The exploit has been used in targeted attacks against high-profile organizations, enabling cyber espionage and unauthorized remote administration. [1, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying specially crafted ZIP archives that exploit the filename spoofing issue in WinRAR. Since the attack relies on discrepancies between the Central Directory and Local File Header filenames in ZIP files, detection can focus on analyzing ZIP archives for mismatched filenames. Tools like hex editors or ZIP file analyzers can be used to inspect the filename fields. Additionally, antivirus solutions such as AVG 2014 reportedly detect and block files using the Unicode Right-to-Left Override (RLO) character, which is often combined with this exploit. There is no specific command-line tool or command provided in the resources, but manual inspection or using forensic ZIP analysis tools to compare the Central Directory and Local File Header filenames can help detect the vulnerability. Monitoring for suspicious ZIP files with misleading filenames or the presence of RLO characters in filenames can also aid detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading WinRAR to version 5.00 or later, as all 5.x versions starting from 5.00 are confirmed not vulnerable. If upgrading is not possible, users should avoid opening files directly from ZIP archives and carefully verify the names of unpacked files before opening them. Using archive formats less susceptible to this attack, such as .7z which can encrypt the table of contents, is recommended. Additionally, employing antivirus solutions that detect and block files using the RLO character can help mitigate risk. Users should also be cautious of files with suspicious or misleading filenames, especially those containing Unicode RLO characters, and avoid executing extracted files unless their legitimacy is confirmed. [1, 3]