Critical WinRAR Vulnerability CVE-2025-8088 Exploited by Multiple Threat Actors
Google has recently disclosed that various threat actors, including state-sponsored groups from Russia and China, as well as financially motivated cybercriminals, are actively exploiting a critical vulnerability in RARLAB’s WinRAR software. This flaw, identified as CVE-2025-8088 with a CVSS score of 8.8, was patched in July 2025 with the release of WinRAR version 7.13. Despite the availability of this patch, the vulnerability continues to be a target for malicious activities.
Details of the Vulnerability
CVE-2025-8088 is a path traversal vulnerability that allows attackers to craft malicious archive files. When these files are opened with a vulnerable version of WinRAR, they can extract malicious payloads into critical system directories, such as the Windows Startup folder. This exploitation method enables the automatic execution of malicious code upon the user’s next system login, granting attackers persistent access to the compromised system.
Exploitation by Threat Actors
The exploitation of this vulnerability has been observed across various threat groups:
– RomCom (UNC4895): This group, also known as CIGAR, was among the first to exploit CVE-2025-8088 as a zero-day vulnerability in July 2025. They utilized it to deploy a variant of the SnipBot malware, also referred to as NESTPACKER. RomCom is associated with both financial and espionage-driven cyber activities.
– Sandworm (APT44/FROZENBARENTS): A Russian state-sponsored group, Sandworm has used this vulnerability to distribute decoy files with Ukrainian filenames. These files contain malicious LNK shortcuts designed to download additional payloads upon execution.
– Gamaredon (CARPATHIAN): Another Russian-affiliated group, Gamaredon has targeted Ukrainian government agencies by embedding malicious HTML Application (HTA) files within RAR archives. These HTA files act as downloaders for secondary malicious stages.
– Turla (SUMMIT): This group has exploited the vulnerability to deliver the STOCKSTAY malware suite. Their attack vectors often involve lures related to Ukrainian military activities and drone operations.
– Chinese State-Sponsored Actors: Certain China-based threat actors have weaponized CVE-2025-8088 to deploy the Poison Ivy malware. Their method involves using batch scripts placed in the Windows Startup folder to download and execute the malware.
– Financially Motivated Cybercriminals: Beyond state-sponsored groups, various cybercriminal organizations have adopted this exploit to deploy Remote Access Trojans (RATs) and information stealers. Notably, some attacks have led to the installation of Telegram bot-controlled backdoors and malware families like AsyncRAT and XWorm.
Implications and Recommendations
The widespread exploitation of CVE-2025-8088 underscores significant challenges in application security and user awareness. The consistent method of exploitation—placing malicious files in the Windows Startup folder—highlights a common defensive gap that attackers continue to leverage.
To mitigate the risks associated with this vulnerability, users and organizations are strongly advised to:
1. Update WinRAR: Ensure that WinRAR is updated to version 7.13 or later, which contains the necessary patches to address CVE-2025-8088.
2. Exercise Caution with Archive Files: Be vigilant when handling archive files, especially those received from untrusted or unknown sources.
3. Implement Security Best Practices: Regularly update all software applications, employ robust endpoint protection solutions, and educate users about the dangers of opening files from unverified sources.
By taking these proactive measures, individuals and organizations can significantly reduce the risk of falling victim to attacks exploiting this critical vulnerability.
