WinRAR Vulnerability CVE-2025-8088 Remains Actively Exploited — Users Urged to Update Immediately

Overview

A critical path traversal vulnerability in WinRAR — tracked as CVE-2025-8088 with a CVSS score of 8.4 — was first exploited in the wild on July 18, 2025, by the Russia-aligned advanced persistent threat (APT) group RomCom. Despite a patch being released by RARLAB on July 30, 2025, Google’s Threat Intelligence Group (GTIG) confirmed in January 2026 that exploitation by multiple threat actors — including both state-sponsored and financially motivated groups — remains widespread and ongoing.

The vulnerability affects the Windows version of WinRAR 7.12 and all earlier releases, as well as the UnRAR.dll component. Non-Windows platforms are not affected.

How the Attack Works

The flaw is a path traversal vulnerability enabled through the misuse of alternate data streams (ADSes). Attackers craft a malicious RAR archive that, when extracted with a vulnerable version of WinRAR, silently drops an executable payload into the Windows Startup folder — bypassing any folder destination chosen by the user. The payload then runs automatically every time the system boots, establishing persistent access.

Threat Actors & Targets

ESET Research, which discovered the zero-day and notified RARLAB, has attributed the initial campaign to RomCom — a sophisticated, Russia-aligned APT group involved in both cyber-espionage and financially motivated operations. This marks at least the third known instance of RomCom deploying a zero-day exploit in active campaigns.

A second threat actor, tracked as Paper Werewolf by Russian cybersecurity firm BI.ZONE, independently began exploiting the same vulnerability a few days after RomCom. Both groups appear to have obtained the exploit through a cybercrime forum, where it was reportedly listed for sale at $80,000. Google’s Threat Intelligence Group further confirmed that Chinese government-backed groups and additional financially motivated actors are also exploiting CVE-2025-8088 as an n-day vulnerability.

Targeted sectors include:

Victims span organizations in Europe, Canada, and beyond. Paper Werewolf’s campaigns were directed at Russian organizations, demonstrating that the threat is not geographically limited to Western targets.

Why So Many Users Remain Unpatched

Unlike most modern software, WinRAR does not include an automatic update mechanism. Users must manually check for updates and download new versions from the official website. This design choice, combined with WinRAR’s large global install base accumulated over decades of widespread use, means a substantial proportion of users are running outdated versions long after patches become available. Security researchers and multiple organizations have identified this manual-only update model as the primary reason exploitation remains effective months after a fix was issued.

How to Protect Yourself

Organizations should also audit any software that bundles or depends on the UnRAR.dll component and ensure those are updated to version 7.13 Final as well. Security teams should conduct vulnerability scanning to confirm all instances are remediated across their environment.