WinRAR: WinRAR path traversal allowing arbitrary code execution (CVE-2025-8088) #shorts

Summary

Welcome to today’s security briefing. We’re discussing CVE-2025-8088, a zero-day path traversal flaw in WinRAR for Windows that’s being actively exploited in the wild. This critical vulnerability has been leveraged by a Russia-linked group called RomCom to deliver malware via crafted archive files. Users running WinRAR version 7.12 and earlier are at risk and should update immediately to version 7.13.

Product details

The affected product is WinRAR for Windows, developed by win.rar GmbH. Any installation at version 7.12 or below is vulnerable. WinRAR is one of the most widely used file archivers worldwide, and millions of users rely on it for compressing and extracting ZIP, RAR, and other archive formats.

Vulnerability type summary

CVE-2025-8088 is classified under CWE-35: Path Traversal. An attacker crafts a malicious archive that contains file paths designed to break out of the intended extraction directory. This allows the payload to overwrite system files or place executable code in sensitive locations, leading to arbitrary code execution when the archive is opened.

Details of the vulnerability

Discovered by ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček, the flaw exploits WinRAR’s handling of archive entries. When a user opens or extracts a malformed RAR file, directory traversal sequences like “..\” are not properly sanitized. Attackers have used spear-phishing emails and malicious download links to trick victims into opening these crafted archives. Once executed, the embedded RomCom malware can establish persistence, steal data, and propagate further. Security teams have observed coordinated campaigns linked to Russian threat actors targeting corporate and government environments.

Conclusion

CVE-2025-8088 is a high-impact, actively exploited vulnerability affecting a ubiquitous Windows utility. To protect against RomCom malware campaigns, update WinRAR to version 7.13 or later without delay. Organizations should audit their endpoint defenses for signs of exploitation, review email filtering rules for malicious attachments, and educate users on the dangers of opening unsolicited archives. Stay safe and thank you for listening.

This chain involves the following actors

• Russia-linked hacking group: Attacker
• Windows end user: Victim
• ESET security researchers: Discoverer

This following systems are involved

• WinRAR (version 7.12 and earlier) (Archive compression and extraction): Vulnerable software
• Windows operating system (Host applications and manage system resources): Platform

Attack entry point

• Phishing email with malicious archive attachment: An email lure carrying a specially crafted RAR file that leverages file paths designed to escape the intended extraction folder

Remediation actions

Exploitation actions

• https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5
• [2025-08-09] WinRAR zero-day vulnerability CVE-2025-8088 exploited for phishing attacks; update to version 7.13 immediately.
• [2025-08-11] A new zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, is being actively exploited to deliver RomCom malware.
• [2025-08-09] Critical WinRAR flaw CVE-2025-8088 exploited by Russia-linked hackers to spread RomCom malware, update to version 7.13 now.
• [2025-08-11] Researchers detail WinRAR zero-day attacks by RomCom hacking group exploiting CVE-2025-8088.
• [2025-08-09] Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom malware.