A zero-day vulnerability in WinRAR permits malware to be deployed on unsuspecting customers’ techniques, highlighting the continuing threats to widespread software program.
Tracked as CVE-2025-8088, this path traversal flaw impacts the Home windows model of the broadly used file archiving instrument, enabling attackers to execute arbitrary code by specifically crafted archives. The vulnerability, found in mid-July 2025, underscores the dangers of delayed patching in an period of refined phishing campaigns.
The difficulty stems from improper dealing with of file paths throughout extraction, permitting malicious archives to position recordsdata in unauthorized areas, comparable to Home windows Startup folders.
By leveraging alternate knowledge streams (ADS), attackers can cover dangerous payloads inside seemingly benign RAR recordsdata, which deploy silently upon extraction.
This system bypasses user-specified paths, probably resulting in distant code execution on the subsequent login. Unix variations of RAR and associated instruments stay unaffected, however Home windows customers of WinRAR variations previous to 7.13 are at excessive threat.
Exploitation has been linked to a minimum of two risk teams. The Russia-aligned RomCom (also referred to as Storm-0978) initiated assaults from July 18 to 21, 2025, focusing on monetary, manufacturing, protection, and logistics sectors in Europe and Canada.
Posing as job candidates, they distributed phishing emails with malicious RAR attachments disguised as resumes, deploying backdoors like SnipBot, RustyClaw, and Mythic brokers for persistence and knowledge exfiltration.
In the meantime, the Paper Werewolf group (aka GOFFEE) exploited the flaw towards Russian organizations, mimicking official communications from a analysis institute. Proof suggests the exploit might have been bought on a darkish internet discussion board for $80,000 in late June 2025, explaining its fast adoption by a number of actors.
WinRAR Zero-Day Path Traversal Exploited
ESET researchers first noticed the zero-day on July 18, 2025, throughout evaluation of a suspicious DLL in a RAR archive. They notified WinRAR builders on July 24, prompting a swift repair in model 7.13, launched on July 30, 2025
The patch addresses the trail traversal mechanism, stopping manipulated extraction paths. This marks RomCom’s third zero-day exploit in recent times, following abuses of CVE-2023-36884 and CVE-2024-49039.
Customers are urged to replace instantly, as WinRAR lacks an auto-update examine for variations through Assist > About WinRAR and obtain from official sources.
Organizations ought to scan for indicators of compromise, comparable to sudden recordsdata in %TEMP% or Startup directories, and improve electronic mail filtering to dam RAR attachments.
This incident highlights the risks of compressed recordsdata in enterprise communications, with CVSS scores ranking the flaw at 8.8 for its excessive affect.
An illustration video circulating on-line illustrates the exploit’s mechanics, although consultants warning towards unverified sources.
As of August 15, 2025, no widespread assaults past focused phishing have been reported, however the vulnerability’s public disclosure might encourage copycat campaigns. Vigilance and immediate patching stay key defenses towards such evolving threats.
Increase your SOC and assist your crew shield what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
