A critical zero-day vulnerability in WinRAR is currently being exploited by cybercriminals in targeted attacks, prompting urgent security warnings and the immediate release of a patched version. The flaw, designated CVE-2025-8088 with a CVSS score of 8.8, represents a significant security threat that requires immediate action from all WinRAR users.
The Vulnerability Details
The security flaw is classified as a path traversal vulnerability affecting the Windows version of WinRAR and related components. When extracting files from a specially crafted archive, previous versions of WinRAR can be manipulated into using an attacker-defined file path instead of the user-specified extraction location. This exploitation technique leverages alternate data streams to achieve unauthorized file placement on victim systems.
Affected software includes:
- WinRAR versions up to and including 7.12
- Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll
Unix versions of RAR, UnRAR, portable UnRAR source code, UnRAR library, and RAR for Android remain unaffected by this vulnerability.
Active Exploitation Campaign
This zero-day vulnerability was discovered on July 18, 2025, while investigating suspicious malicious archives being used in active cyberattacks. The Russia-aligned hacking group RomCom has been identified as the primary threat actor exploiting this vulnerability in targeted spearphishing campaigns.
The attacks occurred between July 18 and July 21, 2025, targeting organizations across multiple sectors including:
- Financial institutions
- Manufacturing companies
- Defense contractors
- Logistics firms
The campaign primarily focused on companies in Europe and Canada, with the ultimate goal of cyberespionage. Attackers distributed malicious RAR archives through phishing emails, often disguised as legitimate job application documents or business communications.
Attack Methodology
The exploitation process follows a sophisticated multi-stage approach. Attackers create specially crafted RAR archives containing both decoy files and malicious payloads with identical names. When victims attempt to extract or open files from these archives, the vulnerability triggers, allowing malicious files to be written to sensitive system locations such as the Windows Startup folder.
This technique enables automatic code execution upon the next user login, effectively establishing persistent access to compromised systems. The malware deployed through this method includes various backdoors used by the RomCom group, specifically SnipBot variants, RustyClaw, and Mythic agents.
Dark Web Marketplace Activity
This zero-day exploit was actively marketed on underground forums before its widespread deployment. On July 7, 2025, a threat actor identified as “zeroplayer” advertised an alleged WinRAR zero-day exploit on the Russian-language dark web forum Exploit.in for $80,000. The RomCom group may have acquired this exploit and subsequently weaponized it for their attacks.
Previous WinRAR Vulnerabilities
This incident represents a continuation of WinRAR’s troubled security history. In June 2025, another directory traversal vulnerability (CVE-2025-6218) was patched in WinRAR version 7.12. That earlier flaw also involved manipulation of archive file paths during extraction, potentially allowing attackers to place files in unintended locations.
The pattern of exploitation extends further back, with CVE-2023-38831 being heavily exploited by multiple threat actors from China and Russia throughout 2023. That vulnerability affected over 130 traders through targeted attacks on trading forums.
Immediate Action Required
WinRAR addressed CVE-2025-8088 in version 7.13, released on July 31, 2025. However, since WinRAR lacks an automatic update mechanism, users must manually download and install the latest version to protect against this actively exploited vulnerability.
Critical steps for WinRAR users:
- Download WinRAR version 7.13 immediately from the official WinRAR website
- Uninstall older versions to prevent accidental use of vulnerable software
- Exercise extreme caution when opening archive files from untrusted sources
- Implement additional security measures such as updated antivirus software and email filtering
Organizational Impact
The targeted nature of these attacks suggests that threat actors are conducting reconnaissance to identify high-value targets within specific industries. Organizations in the affected sectors should treat this as a critical security incident requiring immediate remediation across all systems where WinRAR is installed.
Security teams should also review email security policies and provide additional user awareness training regarding the risks associated with archive file attachments, particularly those received through unsolicited communications.
