A zero-day vulnerability in the popular file compression tool WinRAR, actively exploited by the Russia-aligned threat group RomCom to deliver malicious payloads via phishing campaigns.
Discovered on July 18, 2025, the flaw, now tracked as CVE-2025-8088, is a path traversal vulnerability leveraging alternate data streams (ADS) to hide and deploy malicious files during archive extraction. This allows attackers to silently plant backdoors without alerting users.
ESET researchers have uncovered that the zero-day exploit targeting WinRAR, marking at least the third instance where the RomCom group has weaponized such vulnerabilities in the wild.
Key Takeaways
1. WinRAR vulnerability lets attackers plant malware through malicious archives.
2. Criminals exploit this via phishing to deploy RomCom malware on Windows systems.
3. Update to WinRAR 7.13 immediately.
WinRAR 0-Day Exploited in the Wild
The vulnerability affects WinRAR versions up to 7.12, as well as related components like UnRAR.dll and portable UnRAR source code. ESET promptly notified WinRAR developers on July 24, leading to a patch in version 7.13 beta 1 the same day, with the full release on July 30.
The vulnerability allows threat actors to implement a path traversal attack, where malicious archives contain embedded file paths that override legitimate extraction destinations.
This technique enables attackers to place executable files in sensitive system directories, potentially achieving privilege escalation and persistence mechanisms on compromised systems.
The exploitation methodology involves crafting archives with manipulated directory structures that exploit the file path validation bypass.
When victims extract these archives using vulnerable WinRAR versions, the malware automatically executes without requiring additional user interaction, making it particularly dangerous for unsuspecting users.
Users are urged to update immediately to mitigate risks, especially those relying on integrated UnRAR libraries in other software.
RomCom, also known as Storm-0978 or Tropical Scorpius, has a history of blending cybercrime with espionage. Previously, in June 2023, they exploited CVE-2023-36884 in Microsoft Word documents to target Ukrainian-related entities.
In October 2024, they chained CVE-2024-9680 in Firefox with CVE-2024-49039 in Windows for code execution in browsers like Thunderbird and Tor.
In this campaign, observed from July 18 to 21, 2025, RomCom sent spearphishing emails posing as job applications or CVs to companies in finance, manufacturing, defense, and logistics sectors across Europe and Canada. Attachments, disguised as benign RAR files like “Eli_Rosenfeld_CV2 – Copy (10).rar” or “cv_submission.rar,” appeared to contain innocent documents.
When users extract files from specially crafted archives, the malicious payload can manipulate the extraction process to place files in unintended system locations, bypassing user-specified destination paths.
Once successfully deployed, the malware establishes command and control communications, enabling threat actors to perform reconnaissance, lateral movement, and data exfiltration activities within compromised networks.
ESET researchers note that this attack vector is particularly effective because compressed archives are commonly shared in business environments, making detection challenging for traditional security solutions that may not thoroughly inspect archive contents before extraction.
| Risk Factors | Details |
| Affected Products | – Windows versions of WinRAR- Windows versions of RAR- Windows versions of UnRAR- Portable UnRAR source code- UnRAR.dll |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | – User must extract a specially crafted malicious archive- Social engineering (phishing emails/malicious downloads)- No additional user interaction required after extraction |
| CVSS 3.1 Score | 8.4 (High) |
Mitigations
WinRAR developers have addressed this critical vulnerability in version 7.13, released on July 30, 2025.
The security patch fixes the directory traversal flaw that differs from the previous vulnerability addressed in WinRAR 7.12.
Importantly, Unix versions of RAR, UnRAR, portable UnRAR source code, UnRAR library, and RAR for Android remain unaffected by this Windows-specific vulnerability.
Organizations and individual users must immediately update to WinRAR 7.13 or later versions to mitigate exploitation risks.
Additional protective measures recommended include scanning compressed files with updated endpoint detection solutions before extraction and restricting archive handling privileges in enterprise environments to minimize potential attack surfaces.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
