
WinRAR, one of the most widely used file archiving tools for Windows, has patched a high-severity flaw tracked as CVE-2025-8088 (CVSS score: 8.8). This path traversal vulnerability could allow attackers to execute arbitrary code on a victim’s system by simply getting them to extract a specially crafted archive file.
Cybersecurity researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET discovered the flaw, which affects all WinRAR versions up to 7.12. The issue was fixed in WinRAR 7.13, released on July 31, 2025.
The vulnerability stems from how WinRAR handles file extraction paths. Attackers can hide malicious files inside an archive in such a way that they are extracted outside the intended folder. This could allow them to place malware into critical Windows directories like the Startup folder, ensuring that the malicious code runs automatically when the system boots.
WinRAR confirmed that older versions of WinRAR, RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code for Windows are all affected.
This exploit requires user interaction, meaning that a victim must open or extract the booby-trapped archive. However, phishing emails and fake document lures make this step easy for attackers to achieve.
Although the full scope of exploitation is unknown, two advanced threat groups are believed to be involved:
Paper Werewolf (aka GOFFEE) – A Russian-linked group suspected of purchasing the exploit from a dark web seller named zeroplayer for $80,000 in July 2025.
RomCom – Another Russia-aligned cyber espionage group with a history of using zero-days.
Paper Werewolf reportedly combined CVE-2025-8088 with another flaw, CVE-2025-6218 (a directory traversal bug patched in June 2025), in phishing attacks targeting Russian organizations. Victims received malicious archives that placed files outside the intended directory and executed malware while showing a harmless decoy document.
RomCom, according to ESET, used the zero-day to target financial, manufacturing, defense, and logistics companies in Europe and Canada. Their attacks deployed advanced malware, including:
SnipBot – A backdoor for remote access.
RustyClaw – A downloader that fetched more malware.
Mythic Agent – A modular attack framework.
In some cases, the payload chain led to MeltingClaw, which can install additional backdoors such as ShadyHammock or DustyHammock.
The exploitation often relies on Alternate Data Streams (ADS), hidden file components in Windows that can carry malicious payloads. Attackers embed these streams into archive files with relative paths, enabling them to write files into arbitrary system locations when extracted.
Once executed, the malware:
Collects system details like the computer name.
Contacts a command-and-control server to fetch more payloads.
Sets up persistence by placing a malicious shortcut (.LNK) file in the Windows startup folder.
The result is full remote control over the infected system.

This is not the first time WinRAR has been a target. In 2023, a vulnerability (CVE-2023-38831) was heavily exploited as a zero-day by state-backed hackers from China and Russia. That incident involved malicious ZIP and RAR archives designed to compromise financial and cryptocurrency users.
The repeated targeting of WinRAR highlights its appeal to cybercriminals — it’s a trusted, widely installed utility that users rarely think to update.
Interestingly, WinRAR is not alone. Around the same time, the 7-Zip archiver patched a separate bug (CVE-2025-55188, CVSS score: 2.7) that allowed arbitrary file write during extraction if symbolic links were abused. This flaw could let attackers overwrite sensitive files, such as SSH keys or configuration files, potentially enabling account takeovers.
While this 7-Zip issue mainly affects Unix systems, it can also be exploited on Windows under certain conditions, such as when Developer Mode is enabled or the user has administrator rights.
Cybersecurity experts strongly recommend taking the following steps immediately:
Update to WinRAR 7.13 or later – This is the only guaranteed fix for CVE-2025-8088.
Avoid opening suspicious archives – Especially those sent via email or downloaded from unknown sources.
Enable antivirus real-time scanning – Ensure your security software checks archive contents before extraction.
Disable automatic extraction – Always review archive contents before unpacking.
Keep all software updated – Outdated tools are prime targets for attackers.
The WinRAR zero-day demonstrates how everyday utilities can become gateways for advanced cyberattacks. For organizations, this means:
Implementing patch management policies that cover not just operating systems, but also common third-party tools.
Training employees on phishing awareness to reduce the risk of malicious file execution.
Monitoring for unusual file activity, especially in sensitive directories.
As ESET’s researchers noted, groups like RomCom are investing heavily in acquiring and weaponizing zero-day exploits. This means we can expect more targeted campaigns against widely used but often neglected software.
Interesting Article : CVE-2025-53786, Exchange Server Flaw Lets Hackers Access Cloud Without Detection
Pingback: Microsoft Sets End-of-Support Date for Windows 11 23H2 Home and Pro Editions