New Zip Slip Vulnerability Allows Attackers to Manipulate ZIP Files During Decompression

A newly observed variant of the Zip Slip vulnerability has emerged, enabling threat actors to exploit path traversal flaws in widely used decompression utilities.

Exploits leveraging this vulnerability craft malicious archives containing specially constructed file names with relative paths.

When an unsuspecting user or automated system extracts these archives, files are written outside the intended extraction directory, potentially overwriting critical system or application binaries.

Early reports indicate that attackers are weaponizing this technique to implant backdoors and escalate privileges on both Windows and Unix targets.

Unlike traditional archives that restrict file locations to a subfolder, the malicious ZIP files contain entries.

Upon decompression, these entries bypass inadequate path sanitization and deposit payloads directly into system directories.

Initial incidents were spotted in internal penetration tests, but more sophisticated campaigns recently attributed to the RomCom APT group have demonstrated live-fire exploitation in enterprise environments.

ASEC analysts identified that the variant takes advantage of the general purpose bit flag in the ZIP header to encode path separators that evade detection by signature-based scanners.

In one case, a compromised email attachment delivered a ZIP archive that, when opened with an outdated decompression tool, silently overwrote a legitimate startup script.

Examination of the archive structure reveals that the filename field beginning at offset 0x1E contains path segments separated by percent-encoded slashes, which are decoded only during file creation.

Subsequent reverse engineering uncovered that the malicious archive leveraged Python’s zipfile module to insert relative paths directly into the filename field.

Major vulnerabilities exploited by this technique include:-

• CVE-2025-8088 – It affects WinRAR prior to version 7.13 and allows bypass of path validation via Alternate Data Stream traversal.
• CVE-2025-6218 – A remote code execution flaw in WinRAR versions before 7.12 that sidesteps relative path filters when spaces are used.
• CVE-2022-30333 – It targets RARLAB Unrar before 6.12 to overwrite SSH authorized_keys via "../../example" paths.
• CVE-2018-20250 – This abuses ACE format extraction in WinRAR pre-5.61 by bypassing UNACEV2.dll filtering logic.

In addition to simple file overwrite, this variant supports embedding executable scripts and DLLs designed to maintain persistence.

By writing payloads to startup folders or systemd service directories, attackers ensure execution upon reboot. Detection is complicated by the fact that many decompression utilities do not normalize or validate canonical paths before writing.

Cybersecurity teams are advised to employ decompression libraries with built-in path traversal checks, enforce extraction within sandboxed environments, and update tools to patched versions released after August 2025 that include strict directory validation routines.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.