CVE-2014-125119

HIGH EXPLOITED

WinRAR 3.80-3.90 and 4.11-4.99 - Filename Spoofing via ZIP Central Directory and Local File Header Inconsistency

Title source: llm

Exploitation Summary

CVE-2014-125119 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including chr1x, juan vazquez, including a Metasploit module exploits/windows/fileformat/winrar_name_spoofing.

AI-analyzed exploit summary This Metasploit module exploits a filename spoofing vulnerability in WinRAR (CVE-2014-125119) by creating a ZIP file with mismatched filenames in the central directory and local file header. It embeds a payload executable with a spoofed name to deceive users into executing arbitrary code.

Description

A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed. An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution.

Exploits (1)

metasploit WORKING POC EXCELLENT

by chr1x, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/winrar_name_spoofing.rb

View Code ZIP pw:eip

This Metasploit module exploits a filename spoofing vulnerability in WinRAR (CVE-2014-125119) by creating a ZIP file with mismatched filenames in the central directory and local file header. It embeds a payload executable with a spoofed name to deceive users into executing arbitrary code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WinRAR (versions affected by CVE-2014-125119)

No auth needed

Prerequisites: Victim must open the malicious ZIP file in WinRAR and execute the spoofed file

MITRE ATT&CK

T1204.002 - Malicious File

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Various Sources vendor-advisory

https://www.rarlab.com/vuln_zip_spoofing_4.20.html

Various Sources technical-description exploit

https://an7isec.blogspot.com/2014/03/winrar-file-extension-spoofing-0day.html

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/winrar_name_spoofing.rb

Various Sources technical-description

https://web.archive.org/web/20141111142204/https://www.intelcrawler.com/report_2603.pdf

Various Sources technical-description media-coverage

https://web.archive.org/web/20140625054244/http://intelcrawler.com/news-15

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/winrar-filename-spoofing-rce

Scores

CVSS v4 8.4

EPSS 0.0140

EPSS Percentile 68.7%

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-07-25

CWE

CWE-20 CWE-434

Status published

Products (2)

RARLab/WinRAR 3.80 - 3.91

RARLab/WinRAR 4.11 - 5.00

Published Jul 25, 2025

Tracked Since Feb 18, 2026