The U.S. Cybersecurity and Infrastructure Security Agency has added this vulnerability to its Known Exploited Vulnerabilities catalog, with a due date of September 2, 2025, for federal agencies to apply mitigations.
WinRAR has released version 7.13 to address a critical security vulnerability that has been actively exploited by cybercriminals, marking another significant security incident for the popular file compression software.
The vulnerability, designated CVE-2025-8088, allows attackers to execute arbitrary code through maliciously crafted archive files, prompting immediate action from users worldwide.
Critical Security Flaw Exploited by Russian Hackers
The newly discovered vulnerability represents a serious threat to Windows users, with security researchers confirming that it has been exploited in active campaigns.
CVE-2025-8088 is a path traversal vulnerability that affects the Windows versions of WinRAR, UnRAR, and associated components, allowing specially crafted archives to bypass user-specified extraction paths and write files to unintended locations on the file system.
This capability enables attackers to execute arbitrary code on compromised systems, making it a particularly dangerous security flaw.
ESET researchers have linked this vulnerability to exploitation by the Russian RomCom group, which has been targeting companies across Europe and Canada.
The cybersecurity firm’s research team, including Anton Cherepanov, Peter Košinár, and Peter Strýček, discovered the vulnerability and reported it to WinRAR developers.
The vulnerability has been assigned a CVSS score of 8.4, classifying it as HIGH severity, which underscores the critical nature of this security issue.
Technical Details and Affected Systems
The directory traversal vulnerability is distinct from a previously patched security flaw that was addressed in WinRAR version 7.12, indicating that this represents a new attack vector that required separate remediation. The affected systems include:
- WinRAR for Windows – All desktop installations of the primary software.
- RAR and UnRAR command-line utilities – Windows versions of these tools.
- UnRAR.dll and portable UnRAR – Dynamic library and standalone versions.
- Version range affected – All WinRAR versions from 0 through 7.12.
- Unaffected platforms – Linux/Unix builds and RAR for Android remain secure.
The vulnerability affects all WinRAR versions from 0 through 7.12, meaning that virtually all existing installations require immediate updating.
The path traversal mechanism allows malicious archives to escape their intended extraction directories, potentially overwriting system files or placing executable code in locations where it can be automatically executed by the operating system.
This type of attack can lead to complete system compromise, data theft, or deployment of additional malware payloads.
WinRAR users must immediately update to version 7.13, which was released on July 30, 2025, with updated release notes published on August 12, 2025.
The update addresses not only the critical security vulnerability but also fixes several bugs from the previous version, including issues with the “Import settings from file” command and recovery size settings for older compression profiles.
The urgency of this update cannot be overstated, particularly given the confirmed exploitation in the wild. Organizations and individual users should prioritize this update across all Windows systems running WinRAR.
Beyond the immediate security fix, WinRAR 7.13 continues to offer advanced NTFS features that distinguish it from other compression tools, including built-in options to preserve symbolic links and archive Alternate Data Streams (ADS).
These capabilities remain valuable for backup, deployment, and forensic environments, but users must ensure they are running the latest secure version to benefit from these features safely.
Users who cannot immediately update should consider discontinuing use of WinRAR until the update can be applied, particularly in environments where untrusted archive files are regularly processed.
Uncover full scope of any attack any attack from hidden redirects to payloads in minutes — Try ANY.RUN free for 14 days.
