Thought Leadership
Attackers exploited a directory traversal vulnerability in WinRAR to spread malware via manipulated archives. The vulnerability CVE-2025-8088 has been patched since version 7.13.
A directory traversal vulnerability (also known as path traversal) is a security hole that allows attackers to access or manipulate files and folders outside the intended area. In recent phishing campaigns, cybercriminals have used a previously unknown vulnerability in WinRAR to install the RomCom malware. The vulnerability, classified as CVE-2025-8088, made it possible to store files in arbitrary locations using these specially manipulated archives.
How the attack works
The problem lies in the way WinRAR processes file paths. Earlier program versions could be tricked by specially prepared archives into using the target path stored in the archive instead of the extraction location selected by the user.
WinRAR versions prior to 7.13 as well as the Windows versions of RAR, UnRAR, UnRAR.dll and the portable UnRAR source code are affected. Unix systems and the Android version are not affected.
The next time the system is started, Windows automatically executes these files and gives the attackers access to the system.
Recommended protective measures
Users should update to WinRAR 7.13 immediately. As the program does not have an automatic update function, a manual installation of the current version from the official website win-rar.com is required.
Discovery and exploitation
ESET researchers Anton Cherepanov, Peter Košinár and Peter Strýček identified the vulnerability. According to ESET expert Strýček, spear phishing emails with RAR attachments were used, which exploited CVE-2025-8088 to spread RomCom backdoors (via BleepingComputer).
RomCom is a Russian cybercrime group that also goes by the names Storm-0978, Tropical Scorpius and UNC2596. The group specializes in ransomware attacks, data theft and credential harvesting. RomCom is known for its use of zero-day exploits and customized malware. It has links to the Cuba and Industrial Spy ransomware families.
