Blog Details

A lately mounted WinRAR vulnerability tracked as CVE-2025-8088 became once exploited as a nil-day in phishing attacks to install the RomCom malware.

The flaw is a directory traversal vulnerability that became once mounted in WinRAR 7.13, which permits specially crafted archives to extract data into a file path selected by the attacker.

“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” reads the WinRAR 7.13 changelog.

“Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected.”

The usage of this vulnerability, attackers can invent archives that extract executables into autorun paths, corresponding to the Windows Startup folder located at:

%APPDATA%MicrosoftWindowsStart MenuProgramsStartup (Local to user)
%ProgramData%MicrosoftWindowsStart MenuProgramsStartUp (Machine-wide)

The next time an particular particular person logs in, the executable will robotically flee, permitting the attacker to invent distant code execution.

As WinRAR does no longer consist of an auto-update characteristic, it is strongly knowledgeable that each users manually download and install the most as much as the moment model from bring together-rar.com so they’re safe from this vulnerability.

Private investigator Exploited as a nil-day in attacks

The flaw became once came upon by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, with Strýček telling BleepingComputer that it became once actively exploited in phishing attacks to install malware.

“ESET has observed spearphishing emails with attachments containing RAR files,” Strýček knowledgeable BleepingComputer.

These archives exploited the CVE-2025-8088 to bring RomCom backdoors. RomCom is a Russia-aligned personnel.”

RomCom (additionally tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian hacking personnel linked to ransomware and data-theft extortion attacks, on the side of campaigns all in favour of stealing credentials.

The personnel is known for its expend of zero-day vulnerabilities in attacks and the expend of personalized malware to be used in data-theft attacks, persistence, and to behave as backdoors.

RomCom has beforehand been linked to a beefy sequence of ransomware operations, alongside side Cuba and Industrial Note.

ESET is engaged on a file with regards to the exploitation, that will presumably well additionally very wisely be printed at a later date.