CVE-2025-8088 (CVSS 8.4) is a new high-risk path traversal vulnerability [CWE-35] in WinRAR versions 7.12 and below and related components including UnRAR.dll. The flaw allows unauthorized attackers to copy malicious files into sensitive directories, including the Windows Startup folder, where they can be executed. ESET Research reports that active exploitation of CVE-2025-8088 began on July 18, 2025, and the RomCom advanced persistent threat (APT) actor has been attributed with the initial attacks. Since then, there are unverified reports that an exploit has surfaced on the dark web and is being sold for $80,000.
RARLAB has published release notes and patched versions of the WinRAR applications and source code, and users are urged to patch immediately. Non-Windows versions are not affected by CVE-2025-8088. OPENVAS SECURITY INTELLIGENCE can help your security team detect vulnerable versions of WinRAR in your organization’s network with our ENTERPRISE FEED. Notably, our May 2025 threat report alerted readers to Russian state-sponsored threat actors exploiting another WinRAR flaw, CVE-2023-38831 (CVSS 7.8) in ransomware attacks. Let’s review the newest campaign targeting WinRAR.
A Summary of RomCom Tactics and Techniques
RomCom (aka Storm-0978, Tropical Scorpius, UNC2596) is a Russian-aligned threat actor known for operating its own signature malware (RomCom RAT), and conducting sophisticated, financially motivated ransomware attacks and espionage-motivated campaigns [1][2][3][4]. Their operations leverage a wide range of attack vectors, including spearphishing, trojan software installers, and exploitation of high-profile vulnerabilities. Most notably, CVE-2023-36884 (CVSS 7.5) in Microsoft Word, CVE-2024-9680 (CVSS 9.8) in Firefox, and CVE-2024-49039 (CVSS 8.8) in Windows Task Scheduler, among others. According to ESET, RomCom’s spearphishing emails now include weaponized RAR archives as attachments and are targeting financial, manufacturing, defense, and logistics companies in Europe and Canada.
Understanding the CVE-2025-8088 Attack Chain
Campaigns exploiting CVE-2025-8088 follow a multi-stage delivery process, leveraging malicious RAR archives to import and execute malware on victim systems. Here is a breakdown of the attack chain discovered by ESET Research:
- Spearphishing Delivery: Victims receive phishing emails containing specially crafted RAR archives [T1204.002] designed to exploit CVE-2025-8088 once extracted. The attached archive appears to contain only one or two files. However, it actually holds multiple Alternate Data Streams (ADSes) with malicious content. In NTFS, ADSes allow data to be stored in a separate stream linked to a file without appearing in normal directory listings.
- Path Traversal Exploit: The ADS payloads use ..\ character sequences to traverse the file extraction path and install malicious DLL or EXE files into sensitive directories such as %TEMP%, %LOCALAPPDATA%, and the Windows Startup folder.
- Payload Deployment: Once the payload is extracted into sensitive directories, a .lnk shortcut file is copied into the Windows Startup folder for persistence [T1547]. WinRAR does not have elevated privileges by default. However, the Windows Startup folder is user-writable and serves to automatically execute the attacker’s payload when the user logs in.
- Actions on Objectives: Post-exploitation, various malware payloads have been observed for command and control (C2) including:
- Using COM hijacking [T1546.015] to execute a malicious DLL (Mythic Agent) targeting Active Directory (AD) domains.
- Using a trojanized PuTTY CAC executable (SnipBot) to perform anti-sandbox checks [T1497] before importing additional payloads [T1105]. PuTTY CAC is a modified version of the popular PuTTY SSH/Telnet client that adds support for smart card and certificate-based logins.
- Using a Rust-based downloader (RustyClaw) to deliver the MeltingClaw loader for importing additional malware [T1105].
Mitigating the Risk of CVE-2025-8088
WinRAR users on Windows should manually update to WinRAR 7.13 Final, released July 30, 2025. The update fixes the WinRAR desktop application, portable UnRAR source code, and UnRAR.dll components. Organizations should also update any software that relies on UnRAR.dll to version 7.13 Final. In complex environments, it is imperative to conduct thorough vulnerability scanning to ensure all affected instances are remediated and further verify patch status post-remediation.
Additional security measures include:
- Using antivirus software to scan incoming files for malware
- Configuring strong directory permissions to prevent archive extraction into sensitive directories
- Providing user awareness training to educate staff about spearphishing attacks
- Scanning systems for indicators of compromise (IoCs) to identify potential compromise
- Configuring EDR solutions to alert on modifications to the Windows Startup folder
Summary
CVE-2025-8088 (CVSS 8.4), a high-risk WinRAR path traversal flaw, is actively exploited by the RomCom APT. Attacks are delivered via spearphishing email messages containing malicious RAR archives designed to deploy malware locally to the victim’s computer. A patched version, WinRAR 7.13 Final, provides urgent fixes to all affected Windows components, including the desktop application, portable UnRAR source code, and UnRAR.dll. Users are urged to patch immediately. OPENVAS SECURITY INTELLIGENCE includes version detection tests as part of the ENTERPRISE FEED, allowing security teams to scan their infrastructure, locate vulnerable WinRAR components, and patch them.
