Hackers Exploited a New WinRAR Flaw Before It Was Patched
A recently patched vulnerability in WinRAR, identified as CVE-2025-8088, was exploited in targeted phishing attacks even before a fix became available. The flaw, classified as a Directory Traversal vulnerability and addressed only in WinRAR version 7.13, allowed attackers to craft specially designed archives that, when extracted, placed files not in the folder selected by the user, but in a directory specified by the attacker. This capability enabled circumvention of standard restrictions and the injection of malicious code into critical Windows directories.
Unlike the normal extraction process, where files are unpacked into a predefined location, this vulnerability allowed the extraction path to be overridden, redirecting contents into the operating system’s startup folders. These include the per-user Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) and the system-wide Startup folder (%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp). Any executable placed there through exploitation would automatically run upon the next system login, effectively granting the attacker remote code execution without further user interaction.
The issue affected only the Windows versions of WinRAR, RAR, UnRAR, their portable builds, and the UnRAR.dll library. Variants for Unix-based systems, Android, and their corresponding source code were not impacted.
The severity of the situation was heightened by the absence of an automatic update mechanism in WinRAR. Users unaware of new releases could remain vulnerable for months without realizing it. The developers strongly advise manually downloading and installing WinRAR 7.13 from the official website, win-rar.com, to prevent exploitation.
The vulnerability was discovered by ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček. Strýček confirmed that it had been used in real-world phishing campaigns to deploy RomCom malware. In these attacks, victims received emails with malicious RAR archives embedding the CVE-2025-8088 exploit.
RomCom—also tracked as Storm-0978, Tropical Scorpius, or UNC2596—is a threat group specializing in ransomware attacks, data theft, extortion, and credential harvesting. Its toolkit includes proprietary malware designed for long-term persistence, information theft, and backdoor creation, enabling covert access to compromised systems.
The group is known for leveraging zero-day vulnerabilities in its campaigns and for collaborating with other ransomware operations, including Cuba and Industrial Spy. The current campaign exploiting the WinRAR flaw is yet another example of how RomCom blends advanced technical exploitation with social engineering to infiltrate corporate networks.
ESET is preparing a detailed report on the incident, which will provide an in-depth analysis of the exploitation techniques and technical specifics of the observed attacks.
