A newly noticed variant of the Zip Slip vulnerability has emerged, enabling risk actors to take advantage of path traversal flaws in extensively used decompression utilities.
Exploits leveraging this vulnerability craft malicious archives containing specifically constructed file names with relative paths.
When an unsuspecting consumer or automated system extracts these archives, recordsdata are written outdoors the supposed extraction listing, probably overwriting crucial system or utility binaries.
Early experiences point out that attackers are weaponizing this system to implant backdoors and escalate privileges on each Home windows and Unix targets.
In contrast to conventional archives that prohibit file areas to a subfolder, the malicious ZIP recordsdata comprise entries.
Upon decompression, these entries bypass insufficient path sanitization and deposit payloads instantly into system directories.
Preliminary incidents have been noticed in inner penetration assessments, however extra subtle campaigns lately attributed to the RomCom APT group have demonstrated live-fire exploitation in enterprise environments.
ASEC analysts recognized that the variant takes benefit of the final goal bit flag within the ZIP header to encode path separators that evade detection by signature-based scanners.
In a single case, a compromised e-mail attachment delivered a ZIP archive that, when opened with an outdated decompression device, silently overwrote a legit startup script.
Examination of the archive construction reveals that the filename subject starting at offset 0x1E accommodates path segments separated by percent-encoded slashes, that are decoded solely throughout file creation.
ZIP file containing the trail to the unzipped file (Supply – ASEC)
Subsequent reverse engineering uncovered that the malicious archive leveraged Python’s zipfile module to insert relative paths instantly into the filename subject.
Main vulnerabilities exploited by this system embody:-
CVE-2025-8088 – It impacts WinRAR previous to model 7.13 and permits bypass of path validation by way of Alternate Knowledge Stream traversal.
CVE-2025-6218 – A distant code execution flaw in WinRAR variations earlier than 7.12 that sidesteps relative path filters when areas are used.
CVE-2022-30333 – It targets RARLAB Unrar earlier than 6.12 to overwrite SSH authorized_keys by way of “../../instance” paths.
CVE-2018-20250 – This abuses ACE format extraction in WinRAR pre-5.61 by bypassing UNACEV2.dll filtering logic.
Along with easy file overwrite, this variant helps embedding executable scripts and DLLs designed to take care of persistence.
By writing payloads to startup folders or systemd service directories, attackers guarantee execution upon reboot. Detection is difficult by the truth that many decompression utilities don’t normalize or validate canonical paths earlier than writing.
Cybersecurity groups are suggested to make use of decompression libraries with built-in path traversal checks, implement extraction inside sandboxed environments, and replace instruments to patched variations launched after August 2025 that embody strict listing validation routines.
Enhance your SOC and assist your group defend your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
