Critical Security Flaw in WinRAR Allows Hackers to Inject Malware; Apply Patch Immediately to Prevent Potential Breaches
In a significant cybersecurity development, a high-severity vulnerability known as CVE-2025-8088 has been discovered in the popular compression tool, WinRAR. This critical directory traversal flaw, rated around 8.4–8.8 on the Common Vulnerability Scoring System (CVSS), allows attackers to execute malicious code on sensitive system directories such as the Windows Startup folder.
This vulnerability, actively exploited by the Russia-aligned advanced persistent threat (APT) group known as RomCom, can enable remote code execution (RCE) when the system restarts. The group, also known as Storm-0978, Tropical Scorpius, and UNC2596 by other security outfits, has been observed exploiting this zero-day since mid-July 2025, targeting organizations in Europe and Canada across defense, finance, and critical infrastructure sectors.
The nature of the vulnerability is a directory/path traversal, allowing attackers to override the extraction path and write arbitrary files, including executable malware, outside the intended directory. This malware, planted in sensitive folders like the Windows Startup folder, runs automatically on system reboot, granting persistent remote access.
Attackers deliver the exploit via spearphishing emails with malicious RAR archive attachments. The exploit has reportedly been sold for $80,000 on dark web marketplaces, indicating high interest among cybercriminals.
To mitigate the risk of zero-day exploitation, users are advised to update WinRAR immediately to version 7.13 or later. It's crucial to exercise caution with unsolicited emails containing RAR attachments, especially spearphishing attempts potentially serving malicious archives exploiting this flaw. Additionally, monitoring systems for signs of compromise, particularly for persistent backdoors consistent with RomCom-style RATs, is recommended.
WinRAR has fixed the issue, with the first clean version being 7.13. The flaw does not affect Unix versions of RAR, UnRAR, portable UnRAR source code, and UnRAR library, as well as RAR for Android. However, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll are affected.
RomCom's targets typically include government, military, and critical infrastructure organizations. The group often spoofs legitimate software in its attacks, making it crucial for users to remain vigilant.
Authorities like CISA have added CVE-2025-8088 to the Known Exploited Vulnerabilities Catalog and urged patching by September 2, 2025. This underscores the urgency for users to update their WinRAR software promptly to protect their systems from potential attacks.
Sources: 1. ESET Research Blog 2. CISA Alert 3. WinRAR Changelog 4. Kaspersky Threat Intelligence Report 5. BleepingComputer Article
- In the realm of data-and-cloud-computing, it's essential for users to be aware of the recent cybersecurity development involving WinRAR, as a high-severity vulnerability (CVE-2025-8088) has surfaced, which is being actively exploited by the Russia-aligned advanced persistent threat group RomCom.
- Given the ongoing developments in technology, it's crucial for organizations to prioritize cybersecurity updates, such as promptly patching WinRAR software to mitigate the risk of zero-day exploitation, especially when vulnerabilities like CVE-2025-8088 are added to the Known Exploited Vulnerabilities Catalog by authorities like CISA.
