A significant security flaw has been identified in WinRAR, a widely used file archiving utility, which is currently under active exploitation. This vulnerability, designated as CVE-2025-8088 with a CVSS score of 8.8, is a path traversal issue affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code by crafting malicious archive files.
The vulnerability was discovered by ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek. They found that previous versions of WinRAR, along with Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll, could be manipulated to use a path defined in a specially crafted archive instead of the user-specified path. This flaw has been addressed in WinRAR version 7.13, released on July 31, 2025.
The exploitation of this vulnerability has been linked to a cyber-espionage group known as RomCom, also referred to as Storm-0978, Void Rabisu, and UNC2596. This group has a history of targeting Ukrainian entities and has expanded its scope to include Western organizations involved in Ukraine-related humanitarian efforts. They have been observed using spear-phishing emails with attachments containing RAR files to deliver RomCom backdoors.
The flaw allows attackers to place executable files into autorun directories like the Windows Startup folder, enabling automatic execution during system startup and potentially allowing remote code execution. This vulnerability has been exploited through spear-phishing emails delivering RAR files with embedded backdoors.
It’s important to note that prior to these attacks, a threat actor identified as zeroplayer was spotted advertising an alleged WinRAR zero-day exploit on the Russian-language dark web forum Exploit.in for a price tag of $80,000. It’s suspected that the Paper Werewolf actors may have acquired it and used it for their attacks.
In previous versions of WinRAR, as well as RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code for Windows, a specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction. User interaction is required to exploit this vulnerability, which could cause files to be written outside the intended directory. This flaw could be exploited to place files in sensitive locations – such as the Windows Startup folder – potentially leading to unintended code execution on the next system login.
The attacks targeted Russian organizations in July 2025 via phishing emails bearing booby-trapped archives that, when launched, triggered CVE-2025-6218 and likely CVE-2025-8088 to write files outside the target directory and achieve code execution, while a decoy document is presented to the victim as a distraction.
The vulnerability is related to the fact that when creating a RAR archive, you can include a file with alternative data streams, the names of which contain relative paths. These streams can contain arbitrary payload. When unpacking such an archive or opening an attached file directly from the archive, data from the alternative streams is written to arbitrary directories on the disk, which is a directory traversal attack.
The vulnerability affects WinRAR versions up to and including 7.12. Starting with version 7.13, this vulnerability is no longer reproduced.
One of the malicious payloads in question is a .NET loader that’s designed to send system information to an external server and receive additional malware, including an encrypted .NET assembly. Paper Werewolf uses the C# loader to get the victim’s computer name and send it in the generated link to the server to get the payload. Paper Werewolf uses sockets in the reverse shell to communicate with the control server.
Given the severity of this vulnerability and its active exploitation, users are strongly advised to update to WinRAR version 7.13 immediately. Since WinRAR does not include an auto-update feature, it is recommended to … Notably, Unix versions of R … .
