A recently patched WinRAR vulnerability tracked as CVE-2025-8088 was used in live phishing campaigns to install RomCom backdoors. The flaw is a directory traversal bug fixed in WinRAR 7.13 that lets specially crafted archives force files to extract into locations chosen by an attacker. Security researchers at ESET say the bug was weaponized in spearphishing emails carrying malicious RAR attachments.
How the WinRAR flaw works and why it leads to remote code execution
WinRAR’s older extraction code could be tricked into using an attacker-supplied path embedded in an archive rather than the user’s chosen extract folder. As WinRAR’s changelog states:
“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path.”
The changelog also notes that Unix and Android builds are not affected.
By choosing autorun locations, attackers could place executables where Windows will run them at next login. Examples of Windows autorun folders noted in reporting include:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup(user-level)%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp(machine-wide)
A malicious executable dropped into these folders will run when the user signs in, enabling remote code execution without further user interaction. WinRAR does not include an auto-update feature; vendors and researchers pointed out that users must manually install WinRAR 7.13 to close the hole.
Proof of exploitation and the malware involved
ESET researchers Anton Cherepanov, Peter Košinár and Peter Strýček discovered the issue and reported active exploitation. As Strýček told reporters:
“ESET has observed spearphishing emails with attachments containing RAR files.”
ESET said those RAR files exploited CVE-2025-8088 to deliver RomCom backdoors. RomCom — tracked by some analysts as Storm-0978, Tropical Scorpius, or UNC2596 — is a Russia-aligned threat actor known for credential theft, data-theft extortion, and ties to ransomware operations including Cuba and Industrial Spy. The group has a history of using zero-day flaws and custom malware for persistence and exfiltration.
ESET said a fuller technical report on the exploitation will be published at a later date.
What was reported and what organizations should note
- The vulnerability is a directory traversal bug fixed in WinRAR 7.13.
- Exploits were observed in phishing campaigns that used weaponized RAR attachments.
- The attack vector relied on silent extraction to autorun paths to execute payloads on user login.
- The observed payloads deployed RomCom backdoors, an actor linked to credential theft and ransomware campaigns.
- ESET is preparing a detailed report on the incidents.
