CVE-2025-8088 WinRAR Zero-Day Vulnerability

---

What is CVE-2025-8088?

• CVE-2025-8088 refers to a critical zero-day vulnerability in the Windows version of WinRAR—a widely used file archive utility.
• The flaw was actively exploited before a fix was available (“zero-day”), discovered in July-August 2025.

Technical Description

• Vulnerability Classification: Path Traversal (CWE-22)
• Path traversal means an attacker tricks the software into writing files to unintended directories by smuggling relative file paths (like ..\..\Windows\Start Menu) inside an archive.
• Primary Impact: Remote Code Execution (RCE) and arbitrary file overwrite.
• If a victim extracts a specially crafted archive, malicious files can be placed anywhere accessible, such as the Windows Startup folder, resulting in code running on the next reboot or login.
• CVSS Score: 8.8 (High; reflects the ease and effect of exploitation).

Vulnerable Versions

• WinRAR versions affected: Up to and including v7.12.
• Patched version: Fixed in v7.13, released July 31, 2025.
• Users must update to at least version 7.13 to be secure.

How is it Exploited?

• Attackers design RAR archives with embedded path traversal filenames and alternate data streams.
• The attacker sends these malicious RAR files, often via phishing emails with legitimate-looking decoy documents.
• A victim opens/extracts the archive, and the exploit causes files to be written outside the intended extraction folder, potentially in sensitive system locations.
• Example: A shortcut or executable dropped in the Startup folder gets triggered when the system reboots.

Notable Threat Activity

• Threat Groups:
• “Paper Werewolf” (aka “GOFFEE”)—targeted Russian organizations, sometimes with another WinRAR bug (CVE-2025-6218).
• “RomCom Group”—Russian cybercriminals used this zero-day to attack sectors including finance, manufacturing, defense, and logistics in Europe and Canada.
  • Deployed advanced backdoors (malware), including SnipBot, RustyClaw, and Mythic agent.
• The exploit was advertised on some criminal underground forums before being detected in real attacks.
• Discovery: ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek were the primary discoverers.

User Risk & Protective Actions

• Exploit requires user action: The exploit isn’t automatic; the victim must unpack a malicious archive.

Mitigation

• Immediately install WinRAR v7.13 (or later).
• Avoid opening or extracting unexpected archives, especially those from unknown sources or received via email.

Additional Context & Notes

• This vulnerability underlines the risk posed by compressed archives—even from “trusted” sources. Threat actors frequently use document lures.
• Other archiving tools, like 7-Zip, had unrelated vulnerabilities discovered in a similar timeframe, but CVE-2025-8088 is exclusive to WinRAR on Windows.
• Rapid update and strong security hygiene are crucial: Many attacks were detected before the CVE became widely known.
• Organizational advice: Consider deploying mail filtering to quarantine or scan archive files and educate users about the risks of unsolicited files.

In summary: CVE-2025-8088 is a severe, easy-to-exploit flaw in WinRAR that allows attackers to achieve code execution via booby-trapped archives. Multiple threat actors weaponized this before a patch was released, so updating WinRAR immediately is essential for security.