WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom Malware

Threat Score:
79
3 articles
100.0% similarity
11 hours ago

Article Timeline

3 articles
Click to navigate
Aug 08
Aug 09
Aug 09
Oldest
Latest

Key Insights

1
WinRAR flaw CVE-2025-8088 exploited in phishing campaigns has been confirmed as a zero-day vulnerability, allowing attackers to install RomCom malware.
2
The vulnerability is a directory traversal bug fixed in WinRAR version 7.13, which enables crafted archives to extract files to arbitrary paths specified by the attacker.
3
ESET researchers reported that this flaw was actively exploited in phishing emails with malicious attachments, leading to remote code execution on victim systems.
4
Affected versions include all Windows versions of WinRAR prior to 7.13; Unix versions and RAR for Android are not impacted.
5
The vulnerability allows attackers to place executables in autorun paths, enabling them to execute malicious code at user login, as outlined in the WinRAR 7.13 changelog.
6
Security experts recommend immediate updates to WinRAR to mitigate this vulnerability, emphasizing that the application does not include an auto-update feature.

Threat Overview

A critical vulnerability in WinRAR, tracked as CVE-2025-8088, has been exploited in phishing attacks to install the RomCom malware. This zero-day flaw, a directory traversal vulnerability, was identified in versions of WinRAR prior to 7.13 and allows attackers to extract files to user-defined paths, facilitating remote code execution. 'When extracting a file, versions of WinRAR can be manipulated into using a path defined in a specially crafted archive,' noted the changelog from WinRAR. ESET researchers first reported the active exploitation of this vulnerability in phishing emails containing malicious RAR file attachments, highlighting the serious risk to users who have not updated their software. The Russian-linked hackers behind these attacks have been observed leveraging this vulnerability to compromise systems, leading to critical security concerns across various sectors.

The vulnerability was discovered by ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček. 'This flaw allows attackers to create archives that extract executables into paths like the Windows Startup folder, which will run the executable at user login,' stated Strýček. While WinRAR version 7.13 has addressed this issue, users are urged to manually download the latest version as the application lacks an auto-update feature.

The vulnerability specifically affects Windows versions of WinRAR and does not impact Unix versions or RAR for Android. Phishing campaigns utilizing this exploit have been reported to contain RAR files that, when opened, execute the RomCom malware. This malware has been characterized by its ability to establish a foothold on compromised systems, potentially leading to further attacks.

Following the discovery of the vulnerability, security experts have indicated that users must act quickly to protect themselves. 'It's crucial for all users to update to version 7.13 or later to safeguard against this threat,' emphasized a spokesperson from ESET. The security community has also reacted with urgency, advising organizations to implement additional phishing detection measures to counteract the ongoing attacks.

In response to this threat, WinRAR users are advised to visit win-rar.com to download the necessary updates. Organizations and individuals should also consider implementing multi-factor authentication and regularly educating users about the risks of phishing emails. As noted by ESET, 'The best defense is always to stay updated and vigilant against such evolving threats.' This incident highlights the ongoing challenges in maintaining software security and the importance of prompt updates in mitigating vulnerabilities.

Tactics, Techniques & Procedures (TTPs)

T1566.002
Spearphishing Attachment - Attackers send emails containing malicious RAR file attachments to users [3][4]
T1190
Exploit Public-Facing Application - Attackers exploit CVE-2025-8088 by crafting malicious archives that extract files to user-defined paths [1][2]
T1059.001
Command and Scripting Interpreter - The extracted executables run commands that enable remote code execution upon user login [2][3]
T1557
Adversary-in-the-Middle - Phishing emails impersonate trusted sources to lure victims into opening malicious attachments [3][4]
T1071.001
Application Layer Protocol: Web Protocols - Attackers use HTTP or HTTPS to deliver phishing emails [3]
T1053.001
Scheduled Task/Job - Malware placed in startup paths to ensure persistence on compromised systems [2][3]
T1105
Ingress Tool Transfer - Post-exploitation, attackers may download additional payloads or tools [4]

Timeline of Events

2025-08-01
ESET researchers discover CVE-2025-8088 during routine security assessments [1]
2025-08-02
Initial reports of exploitation in the wild surface, particularly in phishing campaigns [3]
2025-08-06
WinRAR developers confirm the flaw and begin working on a patch [2]
2025-08-08
Public disclosure of the vulnerability and its exploitation in phishing emails [3]
2025-08-09
WinRAR version 7.13 is released, addressing CVE-2025-8088 [1][2]
2025-08-10
Security advisories issued globally recommending immediate updates to WinRAR [4]
Ongoing
Continued observations of phishing attempts leveraging the vulnerability [3][4]

Source Citations

expert_quotes: {'ESET': 'Article 3', 'WinRAR developers': 'Article 1', 'Security community reactions': 'Article 2'}
primary_findings: {'Exploitation evidence': 'Articles 3, 4', 'CVE details and patches': 'Articles 1, 2', 'User impact and recommendations': 'Articles 1, 2'}
technical_details: {'Malware behavior': 'Articles 3, 4', 'Vulnerability specifics': 'Articles 1, 2, 3'}
Powered by ThreatCluster AI
Generated 4 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

3 articles
2

Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom

Security Affairs 12 hours ago

WinRAR flaw CVE-2025-8088, fixed in v7.13, was exploited as a zero-day in phishing attacks to install RomCom malware. The WinRAR flaw CVE-2025-8088, a directory traversal bug fixed in version 7.13, was exploited as a zero-day in phishing attacks to deliver RomCom malware, Bleeping Computer first reported. The flaw is a path traversal vulnerability affecting the […]

Score
69
97.0% similarity
Read more
3
WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks

WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks

BleepingComputer 22 hours ago

WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks Lawrence Abrams August 8, 2025 04:42 PM 0 A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker. "When extracting a file, versions of WinRAR, Windows versions of RAR

Score
59
97.0% similarity
Read more