02-09-25, 01:56 AM
WinRAR has released version 7.13 to fix a critical zero-day vulnerability (CVE-2025-8088, CVSS 8.8) that was exploited in real-world attacks. The flaw, a path traversal bug, allowed attackers to craft malicious archive files that execute arbitrary code when extracted.
The issue, discovered by ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek, affected older versions of WinRAR, RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code.
Exploitation in the Wild
Paper Werewolf (aka GOFFEE): Suspected of using the exploit in July 2025 against Russian organizations, often delivered through phishing emails with booby-trapped archives.
RomCom (Russia-aligned APT): Detected using the zero-day from July 18, 2025, against finance, manufacturing, defense, and logistics firms in Europe and Canada. Their attacks deployed backdoors such as SnipBot, RustyClaw, and Mythic agent, with persistence achieved via malicious DLLs and Windows Startup LNK files.
Dark Web Link
Before the attacks, a cybercriminal called “zeroplayer” advertised a WinRAR zero-day on a Russian forum for $80,000, suggesting groups may have purchased and weaponized it.
Technical Details
The flaw allowed alternative data streams (ADSes) with relative paths to overwrite files in unintended directories, such as Windows Startup, leading to persistence and code execution.
Malicious payloads included .NET loaders that exfiltrate system info and fetch additional malware.
Related Vulnerabilities
CVE-2025-6218 (patched June 2025): Another directory traversal bug also abused in attacks.
7-Zip (CVE-2025-55188, CVSS 2.7): Patched in version 25.01 to fix a symbolic link handling issue enabling arbitrary file writes.
Outlook
The incidents mark the second consecutive year WinRAR has been hit with an exploited vulnerability. Security experts warn the campaigns reflect a broader geopolitical motivation by Russian-aligned groups to weaponize zero-days against high-value targets.
Bottom line: Users should update to WinRAR 7.13 immediately to stay protected.
The issue, discovered by ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek, affected older versions of WinRAR, RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code.
Exploitation in the Wild
Paper Werewolf (aka GOFFEE): Suspected of using the exploit in July 2025 against Russian organizations, often delivered through phishing emails with booby-trapped archives.
RomCom (Russia-aligned APT): Detected using the zero-day from July 18, 2025, against finance, manufacturing, defense, and logistics firms in Europe and Canada. Their attacks deployed backdoors such as SnipBot, RustyClaw, and Mythic agent, with persistence achieved via malicious DLLs and Windows Startup LNK files.
Dark Web Link
Before the attacks, a cybercriminal called “zeroplayer” advertised a WinRAR zero-day on a Russian forum for $80,000, suggesting groups may have purchased and weaponized it.
Technical Details
The flaw allowed alternative data streams (ADSes) with relative paths to overwrite files in unintended directories, such as Windows Startup, leading to persistence and code execution.
Malicious payloads included .NET loaders that exfiltrate system info and fetch additional malware.
Related Vulnerabilities
CVE-2025-6218 (patched June 2025): Another directory traversal bug also abused in attacks.
7-Zip (CVE-2025-55188, CVSS 2.7): Patched in version 25.01 to fix a symbolic link handling issue enabling arbitrary file writes.
Outlook
The incidents mark the second consecutive year WinRAR has been hit with an exploited vulnerability. Security experts warn the campaigns reflect a broader geopolitical motivation by Russian-aligned groups to weaponize zero-days against high-value targets.
Bottom line: Users should update to WinRAR 7.13 immediately to stay protected.
