CVE-2025-8088: 
WinRAR vulnerability analysis and mitigation

A path traversal vulnerability affecting the Windows version of WinRAR (CVE-2025-8088) allows attackers to execute arbitrary code by crafting malicious archive files. The vulnerability was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET on July 18th, 2025, and was patched with the release of WinRAR 7.13 on July 30th, 2025. The flaw affects all WinRAR versions up to and including 7.12, as well as Windows versions of UnRAR.dll and the portable UnRAR source code (ESET Research, WinRAR News).

The vulnerability (CVE-2025-8088) has been assigned a CVSS score of 8.4 HIGH. The flaw exploits alternate data streams (ADSes) for path traversal, allowing attackers to hide malicious files in archives that are silently deployed during extraction. When crafted archives are opened, they appear to contain only benign files while containing multiple malicious ADSes that are not visible to users. The exploit can place malicious DLLs in %TEMP% or %LOCALAPPDATA% directories and drop crafted .lnk files into the Windows Startup folder, achieving persistence through automatic execution on user login (ESET Research, SOCRadar).

The vulnerability enables attackers to achieve arbitrary code execution and establish persistence on targeted systems. The exploit has been used in targeted attacks against financial, manufacturing, defense, and logistics companies in Europe and Canada. Successful exploitation allows attackers to deploy various backdoors, including SnipBot variant, RustyClaw, and Mythic agent, potentially leading to unauthorized access and data theft (ESET Research, Hacker News).

Users are strongly advised to update to WinRAR version 7.13 or later immediately. Organizations using software that relies on UnRAR.dll should ensure their dependencies are updated. Additional recommended mitigations include configuring extraction defaults to user-writable directories only, blocking execution from temporary folders, monitoring for unexpected .lnk files in Startup directories, and reviewing outbound network connections to suspicious domains (SOCRadar, WinRAR News).

The discovery of this vulnerability has raised significant concern in the cybersecurity community, particularly as it marks the third time RomCom has exploited zero-day vulnerabilities in their attacks. The quick response from WinRAR in releasing a patch within one day of notification has been positively acknowledged by security researchers (ESET Research).