WinRAR, the popular file compression program, has a security vulnerability that allows attackers to execute remote code on the user's computer when opening an SFX file (a self-extracting file).
The error was discovered by Mohammad Reza Espargham from Vulnerability Lab, as well as by Pieter Arntz from Malwarebytes.
According to both reports, the bug affects only the latest version WinRAR, 5.21, and can be used by any attacker who manages to insert malicious HTML code into the "Text to display in SFX window" section when creating a new SFX file.
After sending the file to a victim, malicious code is executed each time the file starts, and depending on the attacker's ability, it could compromise the system, network, or simple device. The attackers do not need special privileges on the target machine to exploit this vulnerability.
Because RAR and SFX files are used on a daily basis by a number of users, hackers have a high chance of using this bug out there.
A video - proof of the vulnerability is the following by Mohammad Reza Espargham.