A newly documented zero-day vulnerability in WinRAR, cataloged as CVE-2025-8088, is being actively exploited in the wild by RomCom, a Russia-aligned threat actor. Recent findings by ESET Research and corroborated by multiple cybersecurity organizations reveal that this flaw enables path traversal during RAR file extraction, allowing malicious executables to be placed directly into Windows Startup folders. Upon system reboot, these payloads achieve remote code execution, facilitating ongoing access to compromised systems.
The exploitation campaign, launched in mid-July 2025, highlights RomCom’s increasing adeptness at integrating zero-day vulnerabilities into their cyberespionage toolkit. Organizations in critical industries, including defense, logistics, manufacturing, and finance, across Europe and Canada have been targeted through spear-phishing emails disguised as job applications.
Malicious Archives Exploit a Path Traversal Flaw in WinRAR
CVE-2025-8088 allows threat actors to bypass user-specified extraction paths.
This vulnerability affects multiple implementations of WinRAR on Windows platforms—specifically, the GUI and command-line utilities, UnRAR.dll, and even the portable UnRAR source code. Crucially, Unix and Android implementations remain unaffected.
At the core of CVE-2025-8088 is a path traversal flaw that occurs during RAR archive extraction. Attackers craft RAR files that deliberately override the standard extraction path, redirecting files into sensitive directories such as:
- `%APPDATA%MicrosoftWindowsStart MenuProgramsStartup`
- Other Windows autorun locations
This redirection enables payloads to achieve persistence and execute automatically on the next system reboot. If successful, the result is often full remote code execution without the knowledge or interaction of the victim post-extraction.
RomCom Leverages the WinRAR Vulnerability in Spear-Phishing Attacks
Campaigns primarily targeted Western companies with tailored social engineering tactics.
Between July 18 and July 21, 2025, RomCom orchestrated a targeted spear-phishing campaign aimed at organizations in Europe and Canada. The emails carried malicious RAR attachments masked as legitimate job application documents—primarily fake CVs in .rar format.
Once extracted by unsuspecting employees, these archives deployed a suite of backdoors, including:
- SnipBot – typically used for remote control and reconnaissance
- RustyClaw – a modular implant for persistent access
- Mythic agent – an open-source command-and-control framework often customized for stealthy operations
These implants allowed sustained access and surveillance capabilities across infected endpoints. ESET telemetry indicates that no successful compromises were confirmed during this campaign, although the intention and potential impact were clear.
Longstanding Vulnerability Patterns Plague WinRAR’s Archive Handling
CVE-2025-8088 shares characteristics with earlier vulnerabilities.
This is not the first time WinRAR’s archive processing mechanisms have drawn the attention of advanced persistent threat (APT) groups. Earlier in 2025, a similar flaw, CVE-2025-6218, was disclosed, underscoring a recurring weakness in how WinRAR handles file paths and directory structures.
CVE-2025-8088 continues this trend, demonstrating that archive deserialization and extraction remain underexamined vectors in enterprise cybersecurity.
RomCom, also tracked as Storm-0978, Void Rabisu, and UNC2596, is historically known for aligning with Russian geopolitical interests. Past campaigns have linked the group to espionage efforts against Ukraine and Western entities supporting Ukraine-related activities.
Patch Released, but Manual Update Required due to Lack of Auto-Update Feature
Mitigation relies entirely on user action.
Following responsible disclosure by ESET, WinRAR developers addressed the flaw in version 7.13, released on July 30, 2025. However, no auto-update mechanism exists for WinRAR on the Windows platform, requiring users to manually download and install the patched version.
This poses a substantial risk for enterprise IT environments, particularly those with decentralized or loosely managed desktop software installations. Without centralized patch management or employee education, vulnerable versions may persist for weeks—or longer—after disclosure.
Security teams should urgently take the following steps:
- Identify all endpoints running Windows versions of WinRAR or UnRAR utilities.
- Update software to version 7.13 manually.
- Monitor email systems for spear-phishing campaigns carrying RAR attachments.
- Prevent extraction of RAR files in sensitive user directories using endpoint protection tools.
Strategic Takeaways for Security Operations Centers and CISOs
Software update discipline remains a fundamental pillar of cyber hygiene.
The WinRAR vulnerability (CVE-2025-8088) and its exploitation by actors like RomCom demonstrate how even mature and widely trusted software can be weaponized through zero-day flaws. For security-conscious organizations, several takeaways are evident:
- Audit non-standard software such as WinRAR across corporate environments, especially where official support or patching workflows are lacking.
- Educate users about the risks of opening unsolicited resumes or job applications—even seemingly innocuous file types can harbor malicious intent.
- Incorporate archive analysis into sandboxing and attachment scanning platforms, considering hidden path manipulations and embedded executables.
- Leverage threat intelligence sharing , as early disclosures—such as from ESET in this case—enabled a relatively fast developer response and mitigation path.
Although no confirmed breaches occurred during the observed RomCom attack campaign, the incident highlights the critical operational window between zero-day disclosure and widespread patch enforcement. Security teams must act promptly when vendor patches are issued—especially in the absence of auto-update mechanisms.
