cbcvebase.
CVE-2014-125119
published 2025-07-25

CVE-2014-125119: A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central…

PriorityP275high8.4CVSS 4.0
AVLACLATNPRNUIAVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.49%
71.0th percentile
A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed. An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
rarlabwinrar>= 3.80 < 3.913.91
rarlabwinrar>= 4.11 < 5.005.00

Detection & IOCsextracted from sources · hover to see the quote

otherZIP archive with mismatched Central Directory and Local File Header filenames
  • Hunt for WinRAR spawning unexpected child processes (e.g., executables masquerading as benign file types such as .txt, .jpg, .pdf) — the attacker-controlled Local File Header payload is extracted and executed while the user sees a harmless Central Directory filename.
  • Correlate WinRAR file-open events with ZIP archives delivered in March 2014 timeframe or later; the Metasploit module confirms this was exploited in the wild starting March 2014.
  • ·The spoofing only triggers when the victim opens the crafted ZIP in WinRAR and interacts with (opens/executes) the displayed file — passive extraction via command-line or other archivers may not trigger the same display/execution inconsistency.

CVSS provenance

nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.