What happened?
A notable security flaw in WinRAR, tracked as CVE-2025-8088, continues to be widely exploited by both state-sponsored and financially motivated cybercriminals. The vulnerability in question is a path traversal bug in the Windows version of WinRAR, allowing attackers to use Windows Alternate Data Streams (ADS) to hide and deliver malware. WinRAR patched the flaw in version 7.13 back on 30 July 2025, but exploitation began before the patch was released.
The exploit works by embedding malicious files within a decoy document (such as a PDF) inside a RAR archive. When a user opens the decoy file using a vulnerable version of WinRAR, the hidden malware is extracted and written to arbitrary locations on the system, often the Windows Startup folder, ensuring persistence long after the content has been accessed.
Exploits of this type are frequently used to deliver various forms of malware, such as remote access trojans, and infostealers. If these tools get a foothold in your system, this could result in data breaches, financial losses, and further network compromise.
So what?
The ongoing exploitation of CVE-2025-8088 highlights the persistent risk posed by delayed patching and limited user awareness – despite the release of a security update over six months ago, many organisations still remain unpatched, leaving their systems exposed.
While state actors have primarily targeted military, government, and technology organisations, financially motivated criminals are conducting opportunistic attacks against a range of sectors, including commercial, hospitality, and banking, on a global scale. The availability of ready-made exploits for sale on cybercrime forums has further lowered the barrier to entry, enabling a broad spectrum of threat actors to compromise unpatched systems quickly and efficiently.
Multiple threat actors have been observed using this exploit. Russian-linked groups such as RomCom (UNC4895), APT44 (FROZENBARENTS), Temp.Armageddon (CARPATHIAN), and Turla (SUMMIT) have targeted Ukrainian military and government entities, while Chinese state-backed actors have also used the same flaw to deliver the PoisonIvy Remote Access Trojan.
What should I do?
This situation highlights the ongoing challenges of effective patch management and the increasing professionalisation of cybercrime, where exploits are rapidly traded and weaponised; prompt action and ongoing vigilance are essential to protect against attacks – both targeted and opportunistic – seeking to exploit this WinRAR vulnerability.
Update WinRAR immediately: Ensure all systems are running WinRAR version 7.13 or later. Older versions are vulnerable to this exploit.
Audit and patch management: Regularly review software inventories and patch management processes to ensure all critical applications are up to date, especially widely used tools like WinRAR.
User awareness: Educate users about the risks of opening unsolicited or suspicious archive files, even if they appear to contain harmless documents.
Monitor for Indicators of Compromise (IOCs): Hunt for the available IOCs. Consider configuring detection rules within your endpoint protection solution to alert to any changes or unusual files in the Windows Startup folder.
Review security controls: Ensure endpoint protection and detection tools are up to date and capable of detecting the latest malware strains delivered via this exploit.
Incident response readiness: Be prepared to respond quickly if compromise is suspected; ensure that any plans including isolating affected systems and conducting forensic analysis to minimise disruption.
Stay informed: Follow updates from trusted security vendors and threat intelligence sources for new developments and indicators related to CVE-2025-8088 and similar vulnerabilities.