CVE-2018-20250

HIGH
2019-02-05 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
Added to CISA KEV
Oct 31, 2025 - 22:07 cisa
CISA KEV
PoC Detected
Oct 31, 2025 - 22:07 vuln.today
Public exploit code
CVE Published
Feb 05, 2019 - 20:29 nvd
HIGH 7.8

Description

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

Analysis

WinRAR before 5.61 contains a path traversal vulnerability in the ACE archive format handler (UNACEV2.dll) that allows extraction of files to arbitrary locations, enabling persistent malware installation through Startup folder placement.

Technical Context

The CWE-36 path traversal in UNACEV2.dll occurs when parsing the filename field of ACE format archives. By manipulating the filename with traversal sequences, attackers can write files to any writable location. The classic attack writes a malicious executable to the Windows Startup folder for persistence.

Affected Products

['WinRAR versions prior to and including 5.61']

Remediation

Update WinRAR to 5.70+ which removed ACE format support entirely (UNACEV2.dll deleted). The DLL cannot be patched as source code was lost. Alternatively, manually delete UNACEV2.dll from WinRAR installation directory.

Priority Score

212
Low Medium High Critical
KEV: +50
EPSS: +93.5
CVSS: +39
POC: +20

Share

CVE-2018-20250 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy