CVE-2025-8088: WinRAR Zero-Day Exploited to Deploy RomCom Malware

CVE-2025-8088 is a severe path traversal vulnerability in WinRAR, disclosed by ESET. It was exploited in the wild by a Russia-linked cyber-espionage group to deliver the RomCom backdoor via malicious archives, primarily distributed through phishing emails.

Severity Level: High

Vulnerability Details

• Type: Path Traversal (arbitrary file write)
• Impact: Allows saving files to arbitrary directories (e.g., Startup folder), enabling arbitrary code execution.
• Affected Versions: WinRAR ≤ 7.12.
• Patched Version: 7.13 (manual update required, as WinRAR does not auto-update).
• CVE ID: CVE-2025-8088.
• CVSS Score: 8.4

The flaw resides in WinRAR’s handling of specially crafted archive paths.

• Malicious RAR files could specify relative or absolute paths that bypass normal extraction boundaries.
• This allowed files to be extracted outside the intended directory, including into Windows Startup folders, leading to automatic execution on reboot or user login.

In July 2025, the Paper Werewolf (GOFFEE) cyberespionage group launched a series of targeted attacks exploiting WinRAR vulnerabilities – CVE-2025-6218 and CVE-2025-8088 affecting versions up to 7.12. These flaws allowed attackers to perform directory traversal, placing malicious executables into system startup folders, leading to remote code execution. The campaign leveraged phishing emails disguised as communications from government ministries and reputable companies, embedding weaponized RAR archives that delivered customized loaders and reverse shells for persistent access.

Exploitation In The Wild

• Delivery Method: Phishing emails with malicious RAR archives.
• Trigger: User opening the archive or viewing an embedded file directly from it.
• Payload: RomCom malware backdoor.
• Execution Path:
  • User opens malicious archive.
  • Malicious file is extracted to Startup folder.
  • On next reboot or login, payload executes automatically.
• RomCom Capabilities: data theft, remote command execution, and secondary malware installation.

Recommendations

1. Update WinRAR to v7.13 immediately.
2. Restrict write permissions to startup folders & sensitive directories to trusted processes only. Monitor for unexpected execution of files from temp or user profile directories.
3. Implement application allowlisting to prevent unauthorized executables from running.
4. Block or quarantine RAR/ZIP attachments from untrusted senders at the mail gateway.
5. Implement sandbox detonation for compressed files before delivery to users.
6. Train employees to identify phishing emails and avoid opening suspicious attachments.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/b9b012faf01077260e35da4f727f4fbcf82252c1cdf88adc5383df0aeb4ef301/iocs

Source:

• https://hackread.com/winrar-zero-day-cve-2025-8088-spread-romcom-malware/
• https://www.win-rar.com/whatsnew.html?&L=0
• https://bi.zone/expertise/blog/paper-werewolf-atakuet-rossiyu-s-ispolzovaniem-uyazvimosti-nulevogo-dnya-v-winrar/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.