HomePortfolioAdvisoryWinRAR Zero-Day Under Active Exploitation

WinRAR Zero-Day Under Active Exploitation

WinRAR Zero-Day Under Active Exploitation

  • November 19, 2025
  • Posted by: Chernor Jalloh
  • Categories:
No Comments

THREAT SUMMARY

A critical zero-day vulnerability in WinRAR, tracked as CVE-2025-8088 (CVSS 8.8), is being actively exploited by multiple threat actors, including Russia-aligned groups Paper Werewolf and RomCom. The flaw, a path traversal vulnerability in Windows versions of WinRAR, RAR, UnRAR, and related components, allows specially crafted archive files to write malicious files outside the intended directory, potentially enabling arbitrary code execution.

AFFECTED VERSIONS

• WinRAR up to and including 7.12

• RAR, UnRAR, portable UnRAR source code, and UnRAR.dll (Windows versions)

Fixed Version:

• WinRAR 7.13 (released July 30, 2025)

TECHNICAL DETAILS

• Exploitation requires user interaction (opening or extracting a malicious archive).

• Attackers use alternate data streams (ADSes) and crafted file paths to place payloads in sensitive locations such as the Windows Startup folder.

• Payloads observed include:

o .NET loader for system info exfiltration and malware delivery

o Mythic agent, SnipBot, RustyClaw, and MeltingClaw downloaders

• Delivery methods: phishing emails with decoy documents and resume-themed lures.

THREAT ACTOR ACTIVITY

• Paper Werewolf (GOFFEE): Linked to exploitation campaigns in Russia, likely purchased the zero-day from cybercriminal forums.

• RomCom: Targeted financial, manufacturing, defense, and logistics companies in Europe and Canada with advanced backdoors.

IMPACT 

Successful exploitation may allow:
• Arbitrary file write outside intended directories

• Persistent malware installation

• Data theft and remote access to compromised systems

MITIGATION STEPS

1. Update WinRAR immediately to version 7.13 from the official website.

2. Block archive attachments (.rar, .zip) from untrusted sources.

3. Disable Windows ADS execution where possible.

4. Enable antivirus/EDR scanning for archive files before extraction.

5. User awareness training to avoid opening suspicious archives.

RECOMMENDATION

All users and organizations should apply the update without delay and review systems for signs of compromise. Archives from unknown sources should be treated as potentially malicious.

REFERENCES

WinRAR Security Advisory

ESET Threat Intelligence Reports

Rarlab

SL-CSIRT



This website uses cookies and asks your personal data to enhance your browsing experience. We are committed to protecting your privacy and ensuring your data is handled in compliance with the General Data Protection Regulation (GDPR).
Ok, I agree Privacy Policy