WinRAR, a widely used file compression software, faced a critical **CVE-2025-8088** vulnerability—a **path traversal flaw** actively exploited by the **Russian RomCom hacking group** targeting organizations in **Europe and Canada**. The flaw allowed attackers to execute **arbitrary code** via maliciously crafted archives, bypassing extraction paths to write files to unintended system locations. This enabled **full system compromise**, potential **data theft**, or **malware deployment** (e.g., ransomware, spyware). The vulnerability affected **all WinRAR versions (0–7.12)** on Windows, including command-line tools (RAR/UnRAR) and DLL libraries. While no **direct data breaches** were confirmed in the article, the **exploitation risk** was severe due to the flaw’s **high CVSS score (8.4)** and **active abuse in wild campaigns**. The U.S. **CISA** mandated federal agencies to patch by **September 2, 2025**, underscoring its criticality. Users failing to update to **version 7.13** risked **lateral movement attacks**, **credential theft**, or **operational disruption** if systems were compromised. The incident highlights the **supply-chain risk** posed by ubiquitous software with **millions of global users**, where a single vulnerability could enable **large-scale cyberattacks** across sectors.
Source: https://cybersecuritynews.com/cisa-added-winrar-zero-day-vulnerability/
TPRM report: https://www.rankiteo.com/company/win.rar-gmbh
"id": "win313081425",
"linkid": "win.rar-gmbh",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All Windows users of WinRAR '
'0–7.12 (millions globally)',
'industry': 'Software Development (Compression Tools)',
'location': 'Global (HQ: Germany)',
'name': 'WinRAR (RARLAB)',
'type': 'Software Vendor'}],
'attack_vector': ['Malicious Archive Files', 'Directory Traversal'],
'customer_advisories': ['Public patch notification', 'Media alerts'],
'data_breach': {'data_exfiltration': ['Potential (if exploited for malware '
'deployment)']},
'date_publicly_disclosed': '2025-07-30',
'date_resolved': '2025-07-30',
'description': 'WinRAR released version 7.13 to address a critical path '
'traversal vulnerability (CVE-2025-8088, CVSS 8.4) actively '
'exploited by the Russian RomCom group. The flaw allows '
'arbitrary code execution via maliciously crafted archives, '
'bypassing extraction paths to write files to unintended '
'system locations. Affected systems include all WinRAR '
'versions 0–7.12 for Windows, UnRAR.dll, and portable UnRAR. '
'Immediate updates are mandated by CISA for federal agencies '
'(due by September 2, 2025).',
'impact': {'brand_reputation_impact': ['High (due to widespread use and '
'critical severity)'],
'identity_theft_risk': ['High (if additional malware deployed)'],
'operational_impact': ['Potential system compromise',
'Data theft',
'Malware payload deployment'],
'systems_affected': ['Windows systems running WinRAR 0–7.12',
'UnRAR.dll',
'Portable UnRAR']},
'initial_access_broker': {'backdoors_established': ['Potential (if follow-on '
'malware deployed)'],
'entry_point': 'Malicious RAR/ZIP archives (e.g., '
'phishing emails, compromised '
'websites)',
'high_value_targets': ['European and Canadian '
'companies (per ESET)']},
'investigation_status': 'Ongoing (ESET and WinRAR collaboration)',
'lessons_learned': ['Critical vulnerabilities in widely used utilities '
'require rapid patching.',
'Path traversal flaws can enable full system compromise '
'via seemingly benign files.',
'Supply chain risks extend to compression tools used for '
'software distribution.'],
'motivation': ['Cyberespionage', 'Data Theft', 'Malware Deployment'],
'post_incident_analysis': {'corrective_actions': ['Input validation hardening '
'in v7.13',
'Expanded testing for path '
'traversal scenarios',
'Collaboration with '
'security researchers for '
'pre-release audits'],
'root_causes': ['Inadequate path validation in '
'WinRAR’s extraction logic',
'Lack of sandboxing for archive '
'operations',
'Delayed patch for a known attack '
'vector (similar to '
'CVE-2023-38831)']},
'recommendations': ['Immediately update WinRAR to v7.13 or later.',
'Avoid processing untrusted archives until patched.',
'Monitor systems for signs of exploitation (unexpected '
'file writes, new processes).',
'Implement application allow-listing for archive '
'extraction tools.',
'Federal agencies must comply with CISA’s mitigation '
'deadline (2025-09-02).'],
'references': [{'source': 'ESET Research'},
{'source': 'CISA Known Exploited Vulnerabilities Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'source': 'WinRAR Release Notes (v7.13)',
'url': 'https://www.win-rar.com/'},
{'source': 'ANY.RUN Malware Analysis Platform',
'url': 'https://any.run/'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV Catalog '
'(Binding Operational '
'Directive 22-01)']},
'response': {'communication_strategy': ['Public advisory',
'Release notes (2025-08-12)',
'Media outreach'],
'containment_measures': ['Emergency patch (v7.13)',
'CISA KEV catalog inclusion (mandatory '
'federal mitigation by 2025-09-02)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Update to WinRAR 7.13',
'Discontinue use if update delayed'],
'third_party_assistance': ['ESET Research Team (Anton '
'Cherepanov, Peter Košinár, Peter '
'Strýček)']},
'stakeholder_advisories': ['CISA (federal agencies)',
'Enterprise IT teams',
'Individual users'],
'threat_actor': 'RomCom Group (Russian-state linked APT)',
'title': 'WinRAR CVE-2025-8088 Path Traversal Vulnerability Exploitation by '
'RomCom Group',
'type': ['Vulnerability Exploitation',
'Path Traversal',
'Arbitrary Code Execution'],
'vulnerability_exploited': 'CVE-2025-8088 (Path Traversal in WinRAR/UnRAR for '
'Windows)'}