CVE-2022-30333
published 2022-05-09CVE-2022-30333: RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a…
PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-08-30
Exploited in the wild
EPSS
98.98%
99.9th percentile
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | rar | < rar 2:6.20~b1-0.1 (bookworm) | rar 2:6.20~b1-0.1 (bookworm) |
| debian | unrar-nonfree | < rar 2:6.20~b1-0.1 (bookworm) | rar 2:6.20~b1-0.1 (bookworm) |
| rarlab | rar | >= 0 < 2:6.20-0.1~deb11u1 | 2:6.20-0.1~deb11u1 |
| rarlab | rar | >= 0 < 2:6.20~b1-0.1 | 2:6.20~b1-0.1 |
| rarlab | rar | >= 0 < 2:6.20~b1-0.1 | 2:6.20~b1-0.1 |
| rarlab | rar | >= 0 < 2:6.20~b1-0.1 | 2:6.20~b1-0.1 |
| rarlab | rar | >= 0 < 2:6.23-1~20.04.1 | 2:6.23-1~20.04.1 |
| rarlab | rar | >= 0 < 2:6.23-1~22.04.1 | 2:6.23-1~22.04.1 |
| rarlab | unrar | < 6.12 | 6.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit works by embedding a Windows-style symbolic link in a RAR archive; when extracted on Linux, the symlink is not properly validated and can point anywhere on the filesystem. A second file in the archive with the same name is then written to the symlink destination — monitor for unexpected file writes outside the extraction directory during unRAR operations. ↗
- →In Zimbra-targeted exploitation, a malicious RAR file is delivered via email; successful exploitation plants a JSP-based backdoor in the public web directory. Monitor Zimbra web directories for unexpected JSP file creation. ↗
- →Vulnerable scope: Zimbra Collaboration 9.0.0 Patch 24 and earlier, and Zimbra Collaboration 8.8.15 Patch 31 and earlier, when UnRAR version 6.11 or earlier is installed. Use these version strings to identify unpatched assets. ↗
- →The vulnerability is fixed in UnRAR version 6.12 (open source version 6.1.7). Detect unpatched systems by identifying hosts running UnRAR < 6.12 on Linux/UNIX. ↗
- →CVE-2022-30333 has been exploited in the wild by the Chinese state-sponsored group RedHotel as part of initial access operations targeting public-facing applications. Correlate exploitation attempts against Zimbra with RedHotel C2 infrastructure. ↗
- ·This vulnerability only affects UnRAR on Linux and UNIX platforms. WinRAR and Android RAR are explicitly unaffected. ↗
- ·The libclamunrar (ClamAV) package is also affected and requires a separate update; patching UnRAR alone may not be sufficient if ClamAV is used for automated RAR scanning. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
UnRAR vulnerabilities
vendor_ubuntu·2025-03-12·CVSS 7.5
CVE-2024-33899 [HIGH] UnRAR vulnerabilities
Title: UnRAR vulnerabilities
Summary: Several security issues were fixed in UnRAR.
It was discovered that UnRAR incorrectly handled certain paths. If a user
or automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333, CVE-2022-48579)
It was discovered that UnRAR incorrectly handled certain recovery volumes.
If a user or automated system were tricked into extracting a specially
crafted RAR archive, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2023-40477)
Siddharth Dushantha discovered that UnRAR incorrectly handled ANSI escape
sequences when writing screen output. If a user or automated system were
tricked in
Ubuntu
RAR vulnerabilities
vendor_ubuntu·2025-03-12·CVSS 7.5
CVE-2022-30333 [HIGH] RAR vulnerabilities
Title: RAR vulnerabilities
Summary: Several security issues were fixed in RAR.
It was discovered that RAR incorrectly handled certain paths. If a user or
automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333)
It was discovered that RAR incorrectly handled certain recovery volumes. If
a user or automated system were tricked into extracting a specially crafted
RAR archive, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2023-40477)
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
Ubuntu
libclamunrar vulnerabilities
vendor_ubuntu·2024-01-08·CVSS 7.5
CVE-2022-30333 [HIGH] libclamunrar vulnerabilities
Title: libclamunrar vulnerabilities
Summary: Several security issues were fixed in libclamunrar.
it was discovered that libclamunrar incorrectly handled directories when
extracting RAR archives. A remote attacker could possibly use this issue to
overwrite arbitrary files and execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2022-30333)
It was discovered that libclamunrar incorrectly validated certain
structures when extracting RAR archives. A remote attacker could possibly
use this issue to execute arbitrary code. (CVE-2023-40477)
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
CISA
RARLAB UnRAR Directory Traversal Vulnerability
cisa·2022-08-09·CVSS 7.5
CVE-2022-30333 [HIGH] CWE-22 RARLAB UnRAR Directory Traversal Vulnerability
Vulnerability: RARLAB UnRAR Directory Traversal Vulnerability
Affected: RARLAB UnRAR
RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation.
Required Action: Apply updates per vendor instructions.
Notes: Vulnerability updated with version 6.12. Accessing link will download update information: https://www.rarlab.com/rar/rarlinux-x32-612.tar.gz; https://nvd.nist.gov/vuln/detail/CVE-2022-30333
Remediation Due Date: 2022-08-30
Debian
CVE-2022-30333: rar - RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write t...
vendor_debian·2022·CVSS 7.5
CVE-2022-30333 [HIGH] CVE-2022-30333: rar - RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write t...
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
Scope: local
bookworm: resolved (fixed in 2:6.20~b1-0.1)
bullseye: resolved (fixed in 2:6.20-0.1~deb11u1)
forky: resolved (fixed in 2:6.20~b1-0.1)
sid: resolved (fixed in 2:6.20~b1-0.1)
trixie: resolved (fixed in 2:6.20~b1-0.1)
OSV
unrar-nonfree vulnerabilities
osv·2025-03-12·CVSS 7.5
CVE-2022-30333 [HIGH] unrar-nonfree vulnerabilities
unrar-nonfree vulnerabilities
It was discovered that UnRAR incorrectly handled certain paths. If a user
or automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333, CVE-2022-48579)
It was discovered that UnRAR incorrectly handled certain recovery volumes.
If a user or automated system were tricked into extracting a specially
crafted RAR archive, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2023-40477)
Siddharth Dushantha discovered that UnRAR incorrectly handled ANSI escape
sequences when writing screen output. If a user or automated system were
tricked into processing a specially crafted RAR archive, a remot
OSV
rar vulnerabilities
osv·2025-03-12·CVSS 7.5
CVE-2022-30333 [HIGH] rar vulnerabilities
rar vulnerabilities
It was discovered that RAR incorrectly handled certain paths. If a user or
automated system were tricked into extracting a specially crafted RAR
archive, a remote attacker could possibly use this issue to write arbitrary
files outside of the targeted directory. (CVE-2022-30333)
It was discovered that RAR incorrectly handled certain recovery volumes. If
a user or automated system were tricked into extracting a specially crafted
RAR archive, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2023-40477)
OSV
libclamunrar vulnerabilities
osv·2024-01-08·CVSS 7.5
CVE-2022-30333 [HIGH] libclamunrar vulnerabilities
libclamunrar vulnerabilities
it was discovered that libclamunrar incorrectly handled directories when
extracting RAR archives. A remote attacker could possibly use this issue to
overwrite arbitrary files and execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2022-30333)
It was discovered that libclamunrar incorrectly validated certain
structures when extracting RAR archives. A remote attacker could possibly
use this issue to execute arbitrary code. (CVE-2023-40477)
GHSA
GHSA-h4mr-p94x-gf79: RARLAB UnRAR before 6
ghsa_unreviewed·2022-05-10
CVE-2022-30333 [HIGH] CWE-22 GHSA-h4mr-p94x-gf79: RARLAB UnRAR before 6
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
OSV
CVE-2022-30333: RARLAB UnRAR before 6
osv·2022-05-09·CVSS 7.5
CVE-2022-30333 [HIGH] CVE-2022-30333: RARLAB UnRAR before 6
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
VulnCheck
RARLAB UnRAR Directory Traversal Vulnerability
vulncheck·2022·CVSS 7.5
CVE-2022-30333 [HIGH] CWE-22 RARLAB UnRAR Directory Traversal Vulnerability
RARLAB UnRAR Directory Traversal Vulnerability
RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation.
Affected: RARLAB UnRAR
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://assets.sentinelone.com/wt-reports/watchtower_2022_eoy; https://cisa.gov/news-events/cybersecurity-advisories/aa22-228a; https://cisa.gov/news-events/cybersecurity-advisories/aa23-278a; https://cyberint.com/blog/research/ransomware-trends-q3-2023-report/; https://cyberint.com/blog/research/ransomware-trends-and-statistics-2023-report/
Exploit PoC: https://vu
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1
suricata·2022-10-11·CVSS 7.5
CVE-2022-30333 [HIGH] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1"; flow:established,to_server; file.data; content:"Rar!|1a 07|"; startswith; content:"/jetty"; within:300; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/; reference:cve,2022-30333; classtype:attempted-admin; sid:2039149; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_30333, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Suricata
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2
suricata·2022-10-11·CVSS 7.5
CVE-2022-30333 [HIGH] ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2
ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2
Rule: alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2"; flow:established,to_server; file.data; content:"Rar!|1a 07|"; startswith; content:"|5c|jetty"; within:300; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/; reference:cve,2022-30333; classtype:attempted-admin; sid:2039150; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_30333, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_11;)
Metasploit
UnRAR Path Traversal in Zimbra (CVE-2022-30333)
metasploit·CVSS 7.5
CVE-2022-30333 [HIGH] UnRAR Path Traversal in Zimbra (CVE-2022-30333)
UnRAR Path Traversal in Zimbra (CVE-2022-30333)
This module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on the following versions of Zimbra, provided UnRAR version 6.11 or earlier is installed: * Zimbra Collaboration 9.0.0 Patch 24 (and earlier) * Zimbra Collaboration 8.8.15 Patch 31 (and earlier)
Metasploit
UnRAR Path Traversal (CVE-2022-30333)
metasploit·CVSS 7.5
CVE-2022-30333 [HIGH] UnRAR Path Traversal (CVE-2022-30333)
UnRAR Path Traversal (CVE-2022-30333)
This module creates a RAR file that exploits CVE-2022-30333, which is a path-traversal vulnerability in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. UnRAR fixed this vulnerability in version 6.12 (open source version 6.1.7). The core issue is that when a symbolic link is unRAR'ed, Windows symbolic links are not properly validated on Linux systems and can therefore write a symbolic link that points anywhere on the filesystem. If a second file in the archive has the same name, it will be written to the symbolic link path.
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
blogs_recorded_future
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
# RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a
http://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.htmlhttps://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/https://lists.debian.org/debian-lts-announce/2023/08/msg00022.htmlhttps://security.gentoo.org/glsa/202309-04https://www.rarlab.com/rar/rarlinux-x32-612.tar.gzhttps://www.rarlab.com/rar_add.htmhttp://packetstormsecurity.com/files/167989/Zimbra-UnRAR-Path-Traversal.htmlhttps://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/https://lists.debian.org/debian-lts-announce/2023/08/msg00022.htmlhttps://security.gentoo.org/glsa/202309-04https://www.rarlab.com/rar/rarlinux-x32-612.tar.gzhttps://www.rarlab.com/rar_add.htmhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30333
2022-05-09
Published
2022-08-09
Added to CISA KEV
Exploited in the wild