CVE-2022-30333

HIGH KEV RANSOMWARE

UnRAR Path Traversal (CVE-2022-30333)

Title source: metasploit

Exploitation Summary

CVE-2022-30333 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 9, 2022, with confirmed use in ransomware campaigns. EIP tracks 7 public exploits from researchers including rbowes-r7, TheL1ghtVn, aslitsecurity, including a Metasploit module exploits/linux/http/zimbra_unrar_cve_2022_30333.

AI-analyzed exploit summary This PoC exploits CVE-2022-30333, a path traversal vulnerability in unRAR versions prior to 6.11, by generating a malicious RAR archive that extracts files to arbitrary locations. The script constructs a RAR file with a symlink and payload data, enabling arbitrary file write during extraction.

Description

RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.

Exploits (7)

nomisec WORKING POC 14 stars

by rbowes-r7 · remote

https://github.com/rbowes-r7/unrar-cve-2022-30333-poc

View Code ZIP pw:eip

This PoC exploits CVE-2022-30333, a path traversal vulnerability in unRAR versions prior to 6.11, by generating a malicious RAR archive that extracts files to arbitrary locations. The script constructs a RAR file with a symlink and payload data, enabling arbitrary file write during extraction.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: unRAR versions prior to 6.11

No auth needed

Prerequisites: Target system with vulnerable unRAR version · Ability to deliver malicious RAR file to target

MITRE ATT&CK

T1005 - Data from Local System T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 13 stars

by TheL1ghtVn · poc

https://github.com/TheL1ghtVn/CVE-2022-30333-PoC

View Code ZIP pw:eip

This PoC demonstrates a path traversal vulnerability in UnRAR (CVE-2022-30333) by crafting malicious RAR archives that write files outside the intended directory. It includes test cases for Linux and Zimbra Mail Server exploitation via Amavisd extraction.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: UnRAR (affecting Zimbra Mail Server via Amavisd)

No auth needed

Prerequisites: Access to send emails to Zimbra server · Directory existence for Linux test

MITRE ATT&CK

T1005 - Data from Local System T1205 - Traffic Signaling

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by aslitsecurity · poc

https://github.com/aslitsecurity/Zimbra-CVE-2022-30333

View Code ZIP pw:eip

This PoC exploits CVE-2022-30333, a vulnerability in Zimbra's UNRAR functionality (versions up to 6.11). It crafts a malicious RAR archive containing a symlink traversal payload to deploy a JSP webshell in the webroot directory.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zimbra Collaboration Suite (with UNRAR <= 6.11)

No auth needed

Prerequisites: Access to send a malicious RAR file to the Zimbra server · JSP webshell prepared in a specific directory structure

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by paradox0909 · client-side

https://github.com/paradox0909/cve-2022-30333_online_rar_extracor

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2022-30333, a path traversal vulnerability in unRAR versions prior to 6.11. The exploit generates a malicious RAR file that extracts files to arbitrary locations, potentially leading to remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: unRAR versions prior to 6.11

No auth needed

Prerequisites: Ability to upload a malicious RAR file to the target system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by RakhithJK · poc

https://github.com/RakhithJK/CVE-2022-30333

View Code ZIP pw:eip

This PoC exploits CVE-2022-30333, a path traversal vulnerability in unRAR versions prior to 6.11, by generating a malicious RAR file that extracts a payload to an arbitrary location via symlink manipulation. The script constructs a RAR archive with a symlink and payload data, enabling arbitrary file write during extraction.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: unRAR < 6.11

No auth needed

Prerequisites: Target system with vulnerable unRAR version · Ability to deliver malicious RAR file to target

MITRE ATT&CK

T1005 - Data from Local System T1205 - Traffic Signaling

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Simon Scannell, Ron Bowes · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_unrar_cve_2022_30333.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-30333, a path traversal vulnerability in UnRAR (versions 6.11 or earlier) used by Zimbra Collaboration Suite. It crafts a malicious RAR file that, when processed by the server, extracts a JSP payload to a traversed directory, enabling remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zimbra Collaboration Suite (9.0.0 Patch 24 or earlier, 8.8.15 Patch 31 or earlier) with UnRAR <= 6.11

No auth needed

Prerequisites: Target Zimbra server with vulnerable UnRAR version · Ability to send emails to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Simon Scannell, Ron Bowes · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/fileformat/unrar_cve_2022_30333.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-30333, a path-traversal vulnerability in UnRAR, by creating a malicious RAR file that extracts a payload to an arbitrary location on Linux systems via symbolic link manipulation.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: UnRAR versions prior to 6.12 (open source version 6.1.7)

No auth needed

Prerequisites: Victim must extract the malicious RAR file

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2023/08/msg00022.html

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202309-04

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.html

Exploit, Third Party Advisory

https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/

Patch

https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz

Product

https://www.rarlab.com/rar_add.htm

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30333

Scores

CVSS v3 7.5

EPSS 0.9898

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2022-08-09

VulnCheck KEV 2022-08-09

InTheWild.io 2022-08-09

ENISA EUVD EUVD-2022-52276

Ransomware Use Confirmed

CWE

CWE-22 CWE-59

Status published

Products (2)

debian/debian_linux 10.0

rarlab/unrar < 6.12

Published May 09, 2022

KEV Added Aug 09, 2022

Tracked Since Feb 18, 2026