WinRAR Releases Emergency Patch for CVE-2025-8088 Zero-Day Exploit
WinRAR has patched a critical zero-day vulnerability (CVE-2025-8088) in its Windows versions, actively exploited in spear-phishing attacks. The flaw allowed attackers to drop hidden payloads into auto-run locations, granting persistence and remote code execution.CVE-2025-8088, discovered by ESET researchers, leveraged path traversal through alternate data streams (ADSes). From mid-July 2025, threat actors RomCom and Paper Werewolf used the flaw in targeted campaigns against defense, finance, and manufacturing sectors. The vulnerability was patched in WinRAR 7.13 on July 30, 2025. As WinRAR does not auto-update, all users must manually install the latest version to stay secure.
The popular file archiving tool WinRAR has become the latest target of cybercriminals, with a zero-day flaw now cataloged as CVE-2025-8088. The vulnerability, rated high severity (CVSS 8.8), was actively exploited in real-world attacks before being patched on July 30, 2025.
What Happened?
Researchers at ESET identified that attackers exploited the flaw by embedding malicious files inside RAR archives using alternate data streams (ADSes). When extracted with vulnerable WinRAR versions (≤ 7.12), these hidden files were silently placed into sensitive Windows directories such as the Startup folder, ensuring automatic execution on reboot.
The attacks primarily relied on spear-phishing emails disguised as job applications, contracts, and official documents, making them highly convincing.
Threat Actors Involved
-
RomCom Group – linked to espionage and malware delivery campaigns, distributing phishing RAR files to organizations across Europe and North America.
-
Paper Werewolf (GOFFEE) – a Russian-focused group, previously tied to WinRAR exploits, also leveraged CVE-2025-8088 in targeted operations.
Reports suggest that an exploit kit for this zero-day was even offered on underground forums for $80,000, increasing its reach among advanced attackers.
Patch and Timeline
-
July 18, 2025 – Exploitation detected in the wild.
-
July 30, 2025 – WinRAR version 7.13 released with patch.
-
August 2025 – CISA added CVE-2025-8088 to its Known Exploited Vulnerabilities (KEV) catalog, requiring U.S. federal agencies to patch by September 2, 2025.
Why It Matters
-
Stealthy Attack Vector – Hidden ADS payloads bypass normal file views.
-
Persistence & RCE – Attackers gained long-term system access.
-
Global Targeting – Critical industries like defense, logistics, and finance were prime targets.
Mitigation & Recommendations
-
Update Immediately – Install WinRAR 7.13 or later. Remember: WinRAR does not auto-update.
-
Be Alert for Suspicious Files – Treat unsolicited RAR attachments with caution.
-
Monitor Autorun Directories – Watch for unexpected files in Startup and system paths.
-
Deploy Security Tools – Endpoint Detection & Response (EDR) can help flag ADS usage.
-
Raise Awareness – Train employees about archive-based spear-phishing risks.
Conclusion
The WinRAR CVE-2025-8088 exploit is a reminder that even trusted utilities can become powerful weapons in the wrong hands. While the vendor has issued a patch, the lack of auto-updates means many users remain exposed. The message is clear: update now, or risk compromise.
