The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability.
Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files.
"When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of a specified path," WinRAR said in an advisory.
Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET have been credited for discovering and reporting the security defect, which has been addressed in WinRAR version 7.13 released on July 31, 2025.
It's currently not known how the vulnerability is being weaponized in real-world attacks, and by whom. In 2023, another vulnerability affecting WinRAR (CVE-2023-38831, CVSS score: 7.8) came under heavy exploitation, including as a zero-day, by multiple threat actors from China and Russia.
Russian cybersecurity vendor BI.ZONE, in a report published last week, said there are indications that the hacking group tracked as Paper Werewolf (aka GOFFEE) may have leveraged CVE-2025-8088 alongside CVE-2025-6218, a directory traversal bug in the Windows version of WinRAR that was patched in June 2025.
It's important to note that prior to these attacks, a threat actor identified as "zeroplayer" was spotted advertising on July 7, 2025, an alleged WinRAR zero-day exploit on the Russian-language dark web forum Exploit.in for a price tag of $80,000. It's suspected that the Paper Werewolf actors may have acquired it and used it for their attacks.
"In previous versions of WinRAR, as well as RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code for Windows, a specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction," WinRAR said in an alert for CVE-2025-6218 at the time.
"User interaction is required to exploit this vulnerability, which could cause files to be written outside the intended directory. This flaw could be exploited to place files in sensitive locations – such as the Windows Startup folder – potentially leading to unintended code execution on the next system login."
The attacks, per BI.ZONE, targeted Russian organizations in July 2025 via phishing emails bearing booby-trapped archives that, when launched, triggered CVE-2025-6218 and likely CVE-2025-8088 to write files outside the target directory and achieve code execution, while a decoy document is presented to the victim as a distraction.
"The vulnerability is related to the fact that when creating a RAR archive, you can include a file with alternative data streams, the names of which contain relative paths," BI.ZONE said. "These streams can contain arbitrary payload. When unpacking such an archive or opening an attached file directly from the archive, data from the alternative streams is written to arbitrary directories on the disk, which is a directory traversal attack."
"The vulnerability affects WinRAR versions up to and including 7.12. Starting with version 7.13, this vulnerability is no longer reproduced."
One of the malicious payloads in question is a .NET loader that's designed to send system information to an external server and receive additional malware, including an encrypted .NET assembly.
"Paper Werewolf uses the C# loader to get the victim's computer name and send it in the generated link to the server to get the payload," the company added. "Paper Werewolf uses sockets in the reverse shell to communicate with the control server."
WinRAR Flaw Also Exploited by RomCom
Slovakian cybersecurity company ESET said it observed the Russia-aligned group RomCom exploiting CVE-2025-8088 as a zero-day, marking the third time the hacking crew has employed zero-days in its attacks after CVE-2023-36884 (June 2023), CVE‑2024‑9680 and CVE‑2024‑49039 (October 2024).
"Successful exploitation attempts delivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and Mythic agent," researchers Cherepanov, Strycek, and Damien Schaeffer said. "This campaign targeted financial, manufacturing, defense, and logistics companies in Europe and Canada."
The attacks leverage malicious archives that contain one benign but several alternate data streams (ADSes) that are leveraged for path traversal. The messages make use of resume-themed lures to trick recipients into opening the attachments.
Opening the archive triggers the execution of a malicious DLL, while a Windows shortcut (LNK) file is set up in the Windows startup directory to achieve persistence every time a user logs in to the system. This DLL is responsible for decrypting embedded shellcode, which then paves the way for the Mythic agent, a SnipBot (aka SingleCamper) variant, and RustyClaw.
RustyClaw fetches and executes another payload, another downloader called MeltingClaw (aka DAMASCENED PEACOCK), which has been used to drop backdoors such as ShadyHammock or DustyHammock in the past.
The company said none of the targets were compromised, citing telemetry data, but the development demonstrates the continued maturation of RomCom to a sophisticated threat actor capable of adopting zero-days into its arsenal for targeted attacks.
"By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyber operations," ESET said. "The discovered campaign targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation."
7-Zip Plugs Arbitrary File Write Bug
The disclosure comes as 7-Zip shipped patches for a security flaw (CVE-2025-55188, CVSS score: 2.7) that could be abused for arbitrary file write due to the manner the tool handles symbolic links during extraction, which may result in code execution. The issue has been addressed in version 25.01.
In a possible attack scenario, a threat actor could leverage the flaw to achieve unauthorized access or code execution by tampering with sensitive files, such as by overwriting a user's SSH keys or .bashrc file.
The attack mainly targets Unix systems, but can also be adapted for Windows with additional prerequisites. "On Windows, the 7-Zip extraction process must have the capability to create symbolic links (e.g., extract with Administrator privileges, Windows is in Developer Mode, etc.)," security researcher "lunbun" said.
