A critical zero-day vulnerability in the widely used WinRAR file archiving utility, identified as CVE-2025-8088, is currently being actively exploited by multiple sophisticated threat groups. This path traversal vulnerability allows attackers to execute arbitrary code on compromised systems, posing a significant risk to users worldwide.

Key Takeaways

• Active Exploitation: Multiple threat actors, including RomCom and Paper Werewolf, are actively exploiting CVE-2025-8088.

• Vulnerability Type: A path traversal flaw enabling arbitrary code execution.

• Affected Versions: WinRAR versions up to and including 7.12 are vulnerable.

• Patch Available: WinRAR version 7.13, released on July 30, 2025, addresses the vulnerability.

• Impact: Attackers can place malicious files in sensitive system locations, leading to code execution and persistence.

The Nature of the Threat

CVE-2025-8088, with a CVSS score of 8.8, allows attackers to trick WinRAR into extracting files outside of the intended directory. This is achieved by crafting malicious archive files that leverage alternate data streams (ADSes) and manipulate file paths. Successful exploitation can lead to the placement of malicious files, such as DLLs or shortcut files, into sensitive locations like the Windows Startup folder, ensuring code execution upon the next system login.

Threat Actors Involved

Several threat groups have been observed weaponizing this vulnerability. The Russia-aligned group RomCom (also known as Storm-0978) has been using CVE-2025-8088 in targeted attacks against financial, manufacturing, defense, and logistics companies in Europe and Canada. Their campaigns often use spearphishing emails with resume-themed lures.

Additionally, the threat actor group Paper Werewolf has also been exploiting this vulnerability, reportedly in conjunction with CVE-2025-6218, targeting organizations in Russia. There are indications that exploits for this zero-day may have been offered for sale on dark web forums for a significant price.

Technical Details of Exploitation

Attackers craft RAR archives that appear to contain only a single benign file. However, hidden within are malicious ADS entries. When a user extracts such an archive, WinRAR can be manipulated to write files to unintended directories. This can include dropping malicious DLLs into temporary folders or creating .lnk shortcut files in the Windows Startup directory for persistence.

Mitigation and Protection

Users and organizations are strongly advised to update WinRAR to version 7.13 or later immediately, as this version contains the necessary patches for CVE-2025-8088. For systems that cannot be immediately patched, implementing network controls to restrict suspicious file transfers and monitoring for unexpected process executions can offer partial mitigation.

Security awareness training for users, particularly regarding spearphishing attempts involving job applications or document attachments, is also crucial. Organizations should also consider discontinuing the use of vulnerable WinRAR versions until patches can be applied and explore alternative compression utilities if necessary.

Broader Context

This is not the first time WinRAR has been targeted with zero-day exploits. The vulnerability CVE-2023-38831 was heavily exploited in 2023, highlighting the ongoing need for vigilance and prompt patching of even commonly used software. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-8088 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply fixes by December 30, 2025.

Sources

• WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups, The Hacker News.

• WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately, The Hacker News.

• WinRAR zero-day was exploited by two threat actors (CVE-2025-8088), Help Net Security.

• CISA Alerts on Actively Exploited WinRAR 0-Day RCE Vulnerability, Cyber Press.

• CVE-2025-8088: WinRAR Zero-Day Exploited in Targeted Attacks, SOCRadar® Cyber Intelligence Inc..