WinRAR Vulnerability CVE-2025-8088 Exploited as Zero-Day to Deploy RomCom Malware
A critical security flaw in WinRAR, identified as CVE-2025-8088, has been exploited in zero-day phishing campaigns to install the RomCom malware. This vulnerability, a directory traversal bug, was addressed in WinRAR version 7.13. It allows attackers to create malicious archive files that, when extracted, can place files into attacker-controlled system paths.
According to the WinRAR 7.13 changelog, the flaw affects older Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The vulnerability lets a specially crafted archive override the user’s chosen extraction path and place files in a directory determined by the attacker.
Notably, Unix versions of RAR and UnRAR, portable UnRAR source code for Unix, the UnRAR library, and RAR for Android are not impacted by this issue.
How Attackers Exploit CVE-2025-8088
By abusing this bug, threat actors can create archives that drop executable files into Windows autorun directories, such as:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (Per-user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (System-wide)
When the affected user logs in again, these executables launch automatically, granting attackers remote code execution (RCE) capabilities.
Active Exploitation in the Wild
Since WinRAR lacks an auto-update feature, all users are strongly advised to manually download and install the latest version from win-rar.com to protect against exploitation.
Researchers Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET discovered the vulnerability. Strýček confirmed to BleepingComputer that the flaw was being actively exploited in spearphishing campaigns.
“ESET has observed spearphishing emails containing RAR file attachments,” Strýček said. “These archives exploit CVE-2025-8088 to deliver RomCom backdoors.”
About the RomCom Threat Actor
RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-linked cybercriminal group involved in ransomware, data theft, credential stealing, and targeted espionage. The group is known for:
Using zero-day vulnerabilities in high-profile campaigns
Deploying custom malware for persistence and espionage
Engaging in ransomware operations, including links to Cuba and Industrial Spy ransomware gangs
ESET is preparing a detailed report on the exploitation of this flaw, which will be released in the near future.
