Cyber Posture

CVE-2025-14111

MediumPublic PoC

Published: 05 December 2025

Published
05 December 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 5.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0021 42.8th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. It is possible to launch the attack remotely.…

more

Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.20 build 128 is able to mitigate this issue. You should upgrade the affected component. The vendor responded very professional: "This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (...) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn't affected."

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2025-14111 by requiring timely patching and upgrading of the vulnerable RAR for Android app to version 7.20 build 128.

SI-10 Information Input Validation good match
prevent

Prevents path traversal exploitation in the com.rarlab.rar component by enforcing input validation mechanisms on file paths at entry points.

CM-10 Software Usage Restrictions good match
prevent

Restricts execution of unauthorized or vulnerable software versions like RAR app up to 7.11 Build 127 via deny-by-default whitelisting of approved patched versions.

Security SummaryAI

CVE-2025-14111 is a path traversal vulnerability (CWE-22) in Rarlab RAR App versions up to 7.11 Build 127 on Android, affecting an unknown part of the com.rarlab.rar component. The issue allows manipulation leading to path traversal and has been assigned a CVSS v3.1 base score of 5.0 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L). It was published on 2025-12-05.

Remote attackers can exploit this vulnerability, though attacks are highly complex and exploitability is difficult. Exploitation requires user interaction with no privileges needed, enabling arbitrary file write and read capabilities with low impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed.

Advisories recommend upgrading the affected component to RAR for Android version 7.20 build 128, which mitigates the issue. The vendor has confirmed this is a real vulnerability limited to RAR for Android, with WinRAR and Unix RAR versions unaffected, and noted the fix in the version 7.20 changelog.

Details

CWE(s)
CWE-22

Affected Products

rarlab
rar
≤ 7.11

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1006 Direct Volume Access Stealth
Adversaries may directly access a volume to bypass file access controls and file system monitoring.
attack.mitre.org →
Why these techniques?

Path traversal enables arbitrary file read (T1005: Data from Local System) and write, facilitating direct volume access (T1006) as noted in advisories.

References