CVE-2025-8088

Name of the Vulnerable Software and Affected Versions WinRAR versions prior to 7.13

Description WinRAR is vulnerable to a critical path traversal flaw (CVE-2025-8088) that allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability has been actively exploited in the wild by multiple threat actors, including Russia-linked groups (RomCom, Paper Werewolf) and China-linked actors (Amaranth-Dragon, APT41). Attackers leverage this flaw by embedding malicious payloads within Alternate Data Streams (ADS) of RAR archives, which, when extracted, can lead to the execution of code in the Windows Startup folder or other system locations. The exploitation has been observed in phishing campaigns and is used to deploy malware such as SnipBot, RustyClaw, Mythic Agent, and TGAmaranth RAT. The vulnerability allows attackers to bypass security measures and gain persistent access to compromised systems. The flaw is a path traversal vulnerability that allows attackers to write files outside the intended extraction path.

Recommendations Update WinRAR to version 7.13 or later immediately.