CVE-2014-125119: 
WinRAR vulnerability analysis and mitigation

A filename spoofing vulnerability exists in WinRAR versions 3.80 through 5.00 when opening specially crafted ZIP archives (CVE-2014-125119). The vulnerability was discovered in March 2014 and arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed (An7i Blog, WinRAR Advisory).

The vulnerability exploits a discrepancy in how WinRAR handles ZIP file structures. When processing ZIP archives, WinRAR displays filenames from the Central Directory in its GUI but uses the Local File Header information for actual file extraction. This inconsistency allows attackers to create ZIP files where the displayed filename differs from the extracted filename. The vulnerability has a CVSS v4.0 score of 8.4 (HIGH) with the vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (VulnCheck).

An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution. For example, a malicious executable could be disguised as a text document, image, or PDF file. When users attempt to open these files, the malicious code is executed instead of the expected benign file (An7i Blog).

Users are recommended to upgrade to WinRAR 5.00 or later versions, which are not vulnerable to this attack. For those who must continue using WinRAR 4.20, it is advised to avoid opening files directly from ZIP archives and carefully check names of unpacked files before opening them (WinRAR Advisory).