CVE-2025-8088

Name of the Vulnerable Software and Affected Versions WinRAR versions prior to 7.13

Description WinRAR versions prior to 7.13 are affected by a path traversal vulnerability (CVE-2025-8088) that allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability has been actively exploited in the wild by multiple threat actors, including Russia-linked groups (RomCom, Paper Werewolf) and China-linked groups (Amaranth-Dragon, APT41). Attackers leverage this flaw to drop malicious files into Startup folders or other system locations, achieving persistence and executing payloads. The vulnerability is exploited through phishing campaigns delivering specially crafted RAR archives. Alternate Data Streams (ADS) are often used to hide malicious payloads within the archives. The vulnerability was patched in WinRAR version 7.13, but many users remain vulnerable due to the lack of an auto-update feature. Multiple reports indicate ongoing exploitation, even months after the patch release.

Recommendations Update WinRAR to version 7.13 or later immediately. As there is no auto-update feature, manual updates are required. Consider disabling WinRAR integration with Windows Explorer or restricting its execution via Group Policy if an immediate update is not possible.