Critical WinRAR Vulnerability Actively Exploited: Google Urges Immediate Update
Critical WinRAR Vulnerability Actively Exploited: Google Urges Immediate Update
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- How Close Are Quantum Computers to Breaking RSA-2048?
- What is the best alternative to Microsoft Office?
Critical WinRAR Vulnerability Actively Exploited: Google Urges Immediate Update
Global security alert issued as state-sponsored hacking groups weaponize path traversal flaw affecting millions of users
Google’s Threat Intelligence Group (GTIG) has issued an urgent global security warning about a high-risk vulnerability in WinRAR that is being actively exploited by multiple sophisticated hacking organizations, with numerous victims already reported worldwide.
The Vulnerability: CVE-2025-8088
The critical security flaw, designated CVE-2025-8088, affects WinRAR version 7.12 and all earlier versions. With a CVSS severity score of 8.4 out of 10, the vulnerability allows attackers to write malicious files to system directories during the extraction process, ultimately enabling code execution and complete system compromise.
While developer RARLAB released a patch in version 7.13, the absence of automatic update functionality in WinRAR means vast numbers of users remain exposed to this threat.
How the Attack Works
The exploitation technique leverages a sophisticated combination of Windows’ Alternate Data Streams (ADS) feature and path traversal vulnerabilities:
- Concealment: Attackers hide malicious files within the ADS of seemingly innocent decoy files inside RAR archives
- Deception: When victims open the decoy file, WinRAR silently extracts malicious payloads in the background
- Traversal: The vulnerability enables directory traversal, allowing attackers to write files (such as LNK, HTA, BAT, or script files) to arbitrary system locations
- Persistence: Malicious files are typically deposited in Windows’ Startup folder, ensuring automatic execution at the user’s next login
- Control: Once executed, the malware establishes persistent backdoor access, giving attackers complete system control
Active Threat Actors
According to Google’s intelligence, several prominent hacking organizations are actively weaponizing this vulnerability:
- UNC4895 (RomCom): A financially-motivated cybercrime group
- APT44: A state-sponsored advanced persistent threat actor
- Turla: A sophisticated espionage group linked to Russian intelligence
Attack Campaign Details
The threat actors are primarily deploying spear-phishing campaigns with malicious RAR attachments disguised as:
- Job application resumes
- Business invoices
- Legitimate business documents
These campaigns have successfully deployed various backdoor trojans including Snipbot and Mythic Agent. Victims span critical sectors including:
- Financial services
- Manufacturing
- Defense contractors
- Logistics and supply chain
Immediate Action Required
Security experts emphasize the urgency of updating WinRAR immediately. Users should:
- Check current version: Open WinRAR and navigate to Help > About to verify your version number
- Download update: Visit the official WinRAR website to download version 7.13 or later
- Manual installation: Since WinRAR lacks automatic updates, manual installation is required
- Verify installation: Confirm the new version is properly installed after updating
Broader Security Implications
This incident highlights critical challenges in software security:
- Legacy software risks: Popular applications without auto-update mechanisms create persistent security gaps
- Supply chain vulnerabilities: Compression utilities are ubiquitous across organizations, making them attractive targets
- User awareness gap: Many users remain unaware they’re running vulnerable software versions
As of January 28, 2025, cybersecurity researchers continue to observe active exploitation attempts, making immediate patching essential for all WinRAR users. Organizations should prioritize identifying and updating all installations within their networks to prevent potential breaches.
The vulnerability serves as a stark reminder that even widely-trusted utilities can harbor critical security flaws, and timely software updates remain one of the most effective defenses against cyber threats.
