CVE-2025-8088: 
WinRAR vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2025-8088) affecting the Windows version of WinRAR was discovered by ESET researchers on July 18th, 2025. The vulnerability allows attackers to execute arbitrary code by crafting malicious archive files using alternate data streams (ADSes) for path traversal. The flaw affects WinRAR (Windows), RAR and UnRAR (Windows), UnRAR.dll, and portable UnRAR (Windows) versions up to 7.12. After notification from ESET researchers, WinRAR released version 7.13 with patches on July 30th, 2025 (ESET Research, WinRAR News).

The vulnerability exploits alternate data streams (ADSes) for path traversal, allowing attackers to craft archives that appear to contain only benign files while hiding malicious ADSes. When a victim opens the archive, WinRAR unpacks it along with all its hidden ADSes, deploying malicious files to sensitive locations like %TEMP% and the Windows startup directory. The attackers used multiple ADSes with increasing depths of parent directory relative path elements to ensure successful exploitation. The CVSS v3.1 base score is 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ESET Research).

The vulnerability allows attackers to silently deploy malicious files when extracting seemingly benign archives, potentially leading to arbitrary code execution. The exploit was used in targeted attacks against financial, manufacturing, defense, and logistics companies in Europe and Canada. Successful exploitation could result in the deployment of various backdoors including SnipBot variant, RustyClaw, and Mythic agent, enabling attackers to execute commands and download additional malicious modules (ESET Research).

Users of WinRAR and affected components should immediately upgrade to WinRAR version 7.13 or later. This includes users of Windows versions of command line utilities, UnRAR.dll, and the portable UnRAR source code. Software solutions relying on publicly available Windows versions of UnRAR.dll or its corresponding source code should update their dependencies. Other platforms including Linux/Unix builds and RAR for Android are not affected (WinRAR News).

The discovery highlighted RomCom's increasing sophistication and willingness to invest in zero-day vulnerabilities for targeted attacks. This marks the third time RomCom has been caught exploiting significant zero-day vulnerabilities in the wild. The WinRAR team was praised for their quick response, releasing a patch within one day of notification (ESET Research).