CVE-2025-8088 – WinRAR path traversal vulnerability exploited to run malicious software

A zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, poses significant risks to users of the popular file archiving tool. This path traversal flaw affects the Windows version of WinRAR, allowing attackers to execute arbitrary code through specially crafted archives. Discovered in mid-July 2025, the vulnerability highlights the dangers of delayed patching amid increasingly sophisticated phishing campaigns. The issue arises from improper handling of file paths during extraction, enabling malicious archives to place files in unauthorised locations, such as Windows Startup folders. By exploiting alternate data streams (ADS), attackers can conceal harmful payloads within seemingly benign RAR files, which can deploy silently upon extraction. This technique bypasses user-specified paths, potentially leading to remote code execution upon the next login. While Unix versions of RAR remain unaffected, Windows users of WinRAR versions prior to 7.13 are at high risk.

Exploitation of this vulnerability has been linked to at least two threat groups. The Russia-aligned RomCom, also known as Storm-0978, initiated attacks from July 18 to 21, 2025, targeting sectors such as finance, manufacturing, defence, and logistics in Europe and Canada. Posing as job applicants, they distributed phishing emails containing malicious RAR attachments disguised as resumes, deploying backdoors like SnipBot, RustyClaw, and Mythic agents for persistence and data exfiltration. Concurrently, the Paper Werewolf group, also known as GOFFEE, exploited the flaw against Russian organisations by mimicking official communications from a research institute. Evidence suggests that the exploit may have been sold on a dark web forum for $80,000 in late June 2025, facilitating its rapid adoption by multiple actors. ESET researchers first identified the zero-day on July 18, 2025, during an analysis of a suspicious DLL in a RAR archive. They notified WinRAR developers on July 24, leading to a swift fix in version 7.13, released on July 30, 2025. Users are urged to update immediately, as WinRAR lacks an auto-update feature. Organisations should scan for indicators of compromise and enhance email filtering to block RAR attachments. This incident underscores the dangers of compressed files in business communications, with a CVSS score of 8.8 indicating its high impact.