Summary

The zero-day vulnerability titled CVE-2025-8088 with a CVSS rating of 8.4 has been discovered in WinRAR that is being exploited in the wild by attackers to deliver ransomware and achieve other malicious objectives.  

About WinRAR

WinRAR is a popular file archive management and compression tool that organizations use to create and view file archives in multiple formats (like CAB, ARJ, LZH, TAR, and ISO), including the most popular RAR or ZIP file formats across Windows, Android, macOS, and Linux.  

About the vulnerability

Title: CVE-2025-8088

CVSS Score: 8.4 (High)

Type: Path traversal vulnerability

Affected versions: Windows and Unix versions of WinRAR

• CVE-2025-8088 is a path traversal vulnerability that affects the Windows version of WinRAR.
• It was initially discovered by security researchers from ESET – Anton Cherepanov, Peter Strycek, and Peter Kosinar.
• Through the exploitation, an attacker can execute arbitrary code through specially crafted archives.
• It allows execution of malicious files on the path selected by the attacker,
• It is being exploited in the wild by ransomware groups, including RomCom (a Russia-based cyberespionage group), GOFFEE/PaperWolf, to achieve malicious objectives like stealing data and injecting ransomware.

How is an attack carried out through this vulnerability?

An attacker sends a phishing mail or a targeted spear phishing email to a user containing a specially crafted archive. The RAR archive includes multiple malicious payloads, including ADS (Alternate Data Stream) that hides malicious DLL, LNK, and Windows shortcuts.

Upon opening the archive, it automatically extracts itself to an attacker-specified folder. The presence of the ADS, DLL, and LNK files is concealed deep in the folder using multiple ADS entries, so the target gets non-critical WinRAR warnings that take attention away from the critical files.

In its advisory, WinRAR has given the following explanation for the vulnerability in its advisory:

“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll can be tricked into using a path defined in a specially crafted archive, instead of a user-specified path.

Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, as well as RAR for Android, are not affected.”

The first few instances of attacks based on exploitation were observed in July and August, where ransomware group Paper Werewolf sent emails with attachments containing specially crafted malicious archives, impersonating as resumes of employees from a Russian research institute.  

ESET has published a detailed report highlighting how vulnerability is exploited by attackers

Impact

Since many organizations use WinRAR for their archived files needs, they are the most immediate target of an attack carried out through the exploitation of this vulnerability.

Attackers can execute malicious arbitrary code, deliver ransomware, and gain unauthorized access to sensitive data.

There is a rise in attacks orchestrated through the exploitation of this zero-day vulnerability, targeted at industries like logistics, finance, and manufacturing.

SharkStriker’s security recommendations

The users of WinRAR download any unknown ZIP, RAR, or any other attached files received via email. They must verify the source of the email and its body for phishing using best practices.

The vulnerability has been addressed in the WinRAR 7.13 version released on 31st July 2025.

Since WinRAR does not support auto-update, we highly recommend manually downloading and installing the latest version of WinRAR.