
A zero-day vulnerability in WinRAR allows malware to be deployed on unsuspecting users’ systems, highlighting the ongoing threats to popular software.
Tracked as CVE-2025-8088, this path traversal flaw affects the Windows version of the widely used file archiving tool, enabling attackers to execute arbitrary code through specially crafted archives. The vulnerability, discovered in mid-July 2025, underscores the risks of delayed patching in an era of sophisticated phishing campaigns.
The issue stems from improper handling of file paths during extraction, allowing malicious archives to place files in unauthorized locations, such as Windows Startup folders.
By leveraging alternate data streams (ADS), attackers can hide harmful payloads within seemingly benign RAR files, which deploy silently upon extraction.
This technique bypasses user-specified paths, potentially leading to remote code execution on the next login. Unix versions of RAR and related tools remain unaffected, but Windows users of WinRAR versions prior to 7.13 are at high risk.
Exploitation has been linked to at least two threat groups. The Russia-aligned RomCom (also known as Storm-0978) initiated attacks from July 18 to 21, 2025, targeting financial, manufacturing, defense, and logistics sectors in Europe and Canada.
Posing as job applicants, they distributed phishing emails with malicious RAR attachments disguised as resumes, deploying backdoors like SnipBot, RustyClaw, and Mythic agents for persistence and data exfiltration.
Meanwhile, the Paper Werewolf group (aka GOFFEE) exploited the flaw against Russian organizations, mimicking official communications from a research institute. Evidence suggests the exploit may have been sold on a dark web forum for $80,000 in late June 2025, explaining its rapid adoption by multiple actors.
WinRAR Zero-Day Path Traversal Exploited
ESET researchers first spotted the zero-day on July 18, 2025, during analysis of a suspicious DLL in a RAR archive. They notified WinRAR developers on July 24, prompting a swift fix in version 7.13, released on July 30, 2025
The patch addresses the path traversal mechanism, preventing manipulated extraction paths. This marks RomCom’s third zero-day exploit in recent years, following abuses of CVE-2023-36884 and CVE-2024-49039.
Users are urged to update immediately, as WinRAR lacks an auto-update check for versions via Help > About WinRAR and download from official sources.
Organizations should scan for indicators of compromise, such as unexpected files in %TEMP% or Startup directories, and enhance email filtering to block RAR attachments.
This incident highlights the dangers of compressed files in business communications, with CVSS scores rating the flaw at 8.8 for its high impact.
A demonstration video circulating online illustrates the exploit’s mechanics, though experts caution against unverified sources.
As of August 15, 2025, no widespread attacks beyond targeted phishing have been reported, but the vulnerability’s public disclosure could inspire copycat campaigns. Vigilance and prompt patching remain key defenses against such evolving threats.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.