Search results for WINRAR A | Breaking Cybersecurity News | The Hacker News

The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability. Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files. "When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of a specified path," WinRAR said in an advisory. Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET have been credited for discovering and reporting the security defect, which has been addressed in WinRAR version 7.13 released on July 30, 2025. The development is the second time a WinRAR security vulnerability has been weaponized in the wild in as many years. In 2023, another vulnerabil...

It's not just the critical Drupal vulnerability that is being exploited by in the wild  cybercriminals to attack vulnerable websites that have not yet applied patches already available by its developers, but hackers are also exploiting a critical WinRAR vulnerability that was also revealed last week. A few days ago, The Hacker News reported about a 19-year-old remote code execution vulnerability disclosed by Check Point in the UNACEV2.dll library of WinRAR that could allow a maliciously-crafted ACE archive file to execute arbitrary code on a targeted system. WinRAR is a popular Windows file compression application with 500 million users worldwide, but a critical "Absolute Path Traversal" bug (CVE-2018-20250) in its old third-party library, called UNACEV2.DLL, could allow attackers to extract a compressed executable file from the ACE archive to one of the Windows Startup folders, where the file would automatically run on the next reboot. To successfully exploit the...

Imagine, You Open a Winrar archive of MP3 files, but what if it will install a malware into your system when you play anyone of them. WinRAR, a widely used file archiver and data compression utility helps hackers to distribute malicious code. Israeli security researcher  Danor Cohen (An7i)   discovered the WinRAR file extension spoofing vulnerability. WinRAR file extension spoofing vulnerability allows hackers to modify the filename and extension inside the traditional file archive, that helps them to hide binary malicious code inside an archive, pretending itself as '.jpg' , '.txt' or any other format. Using a Hex editor tool, he analysed a ZIP file and noticed that winrar tool also adds some custom properties to an archive, including two names - First name is the original filename (FAX.png) and second name is the filename (FAX.png) that will appear at the WINRAR GUI window. Danor manipulated the second filename and extension to prepare a special Z...

Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads. "Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations," the Google Threat Intelligence Group (GTIG) said . "The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness." The vulnerability in question is CVE-2025-8088 (CVSS score: 8.8), which was patched by WinRAR version 7.13 released on July 30, 2025. Successful exploitation of the flaw could allow an attacker to obtain arbitrary code execution by c...

A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is  CVE-2023-38831  (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively exploited since at least April 2023. Google Threat Analysis Group (TAG), which  detected  the activities in recent weeks, attributed them to three different clusters it tracks under the geological monikers  FROZENBARENTS  (aka Sandworm),  FROZENLAKE  (aka APT28), and  ISLANDDREAMS  (aka APT40). The phishing attack linked to Sandworm impersonated a Ukrainian drone warfare training school in early September and distributed a malicious ZIP file exploiting CVE-2023-38831 to deliver Rhadamanthys, a commodity stealer malware which is offered for s...

Various cyber criminal groups and individual hackers are still exploiting a recently patched critical code execution  vulnerability in WinRAR , a popular Windows file compression application with 500 million users worldwide. Why? Because the WinRAR software doesn't have an auto-update feature, which, unfortunately, leaves millions of its users vulnerable to cyber attacks. The critical vulnerability (CVE-2018-20250) that was patched late last month by the WinRAR team with the release of WinRAR version 5.70 beta 1 impacts all prior versions of WinRAR released over the past 19 years. For those unaware, the vulnerability is "Absolute Path Traversal" bug that resides in the old third-party library UNACEV2.DLL of WinRAR and allows attackers to extract a compressed executable file from the ACE archive to one of the Windows Startup folders, where the malicious file would automatically run on the next reboot. Therefore, to successfully exploit this vulnerability and tak...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file. "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user," CISA said in an alert. The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected. "This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to u...

An Iran-linked cyber-espionage group that has been found targeting critical infrastructure , energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday. Widely known as APT33 , which Symantec calls Elfin , the cyber-espionage group has been active since as early as late 2015 and targeted a wide range of organizations, including government, research, chemical, engineering, manufacturing, consulting, finance, and telecommunications in the Middle East and other parts of the world. Symantec started monitoring Elfin's attacks since the beginning of 2016 and found that the group has launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States. Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcar...

A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with Venom RAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as  CVE-2023-25157 ," Palo Alto Networks Unit 42 researcher Robert Falcone  said . While  bogus PoCs  have become a  well-documented gambit  for targeting the  research community , the cybersecurity firm suspected that the threat actors are opportunistically targeting other crooks who may be adopting the latest vulnerabilities into their arsenal. whalersplonk, the  GitHub account  that hosted the repository, is no longer accessible. The PoC is said to have been committed on August 21, 2023, four days after the vulnerability was publicly announced. ...

Beware Windows Users! A new dangerous unpatched Zero-day Vulnerability has been detected in the latest version of WinRAR affects over millions of users worldwide. According to Mohammad Reza Espargham , a security researcher at Vulnerability-Lab , the stable version of WinRAR 5.21 for Windows computers is vulnerable to Remote Code Execution (RCE) flaw. WinRAR is one of the most popular utility program used to compress and decompress files with more than 500 Million installations worldwide. The WinRAR RCE vulnerability lie under the ‘ High Severity ’ block, and scores 9 on CVSS ( Common Vulnerability Scoring System ). HOW WINRAR VULNERABILITY WORKS? Let’s take a look at its actions. The vulnerability can be used by any attacker smartly to insert a malicious HTML code inside the " Text to display in SFX window " section when the user is creating a new SFX file. WinRAR SFX is an executable compressed file type containing one or more file ...

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831," Cluster25  said  in a report published last week. The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host. Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook[.]site. CVE-2023-38831 refers to a  high-severity flaw  in WinRAR that ...

The threat actor known as  UAC-0099  has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct  said  in a Thursday analysis. UAC-0099 was  first documented  by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives. The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of  LONEPAGE , a Visual Basic Script (VBS) malware that's capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware. "During 2022-2023, the mentioned group received unauthorized remote access to several...

A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues. The organization, according to a report from Broadcom's Symantec and Carbon Black teams, is "active in attempting to influence U.S. government policy on international issues." The attackers managed to gain access to the network for several weeks in April 2025. The first sign of activity occurred on April 5, 2025, when mass scanning efforts were detected against a server by leveraging various well-known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Apache Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server). Symantec and Carbon Black told The Hacker News that there is no indication that these exploitation efforts were successful. It's suspected that the attackers ul...

The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts. "The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion," CYFIRMA said in a technical report. Transparent Tribe, also called APT36, is a hacking group that's known for mounting cyber espionage campaigns against Indian organizations. Assessed to be of Pakistani origin, the state-sponsored adversary has been active since at least 2013. The threat actor boasts of an ever-evolving arsenal of RATs to realize its goals. Some of the trojans put to use by Transparent Tribe in recent years include CapraRAT , Crimson RAT , ElizaRAT , and DeskRAT . The latest set of attacks began with ...

Beware Windows users... a new dangerous remote code execution vulnerability has been discovered in the WinRAR software, affecting hundreds of millions of users worldwide. Cybersecurity researchers at Check Point have disclosed technical details of a critical vulnerability in WinRAR—a popular Windows file compression application with 500 million users worldwide—that affects all versions of the software released in last 19 years. The flaw resides in the way an old third-party library, called UNACEV2.DLL, used by the software handled the extraction of files compressed in ACE data compression archive file format. However, since WinRAR detects the format by the content of the file and not by the extension, attackers can merely change the .ace extension to .rar extension to make it look normal. According to researchers, they found an "Absolute Path Traversal" bug in the library that could be leveraged to execute arbitrary code on a targeted system attempting to uncompre...

A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign. "While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan," Google Threat Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan, and Dan Perez said . "This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns." APT24, also called Pitty Tiger, is the moniker assigned to a suspected Chinese hacking group that has targeted government, healthcare, construction and engineering, mining, non-profit, and telecommunications sectors in the U.S. and Taiwan. The group is also known to engage in cyber operations wh...