WinRAR Update Addresses Critical Zero-Day Vulnerability
The team behind WinRAR, the popular file archiving utility, recently released an important update aimed at fixing a zero-day vulnerability that is currently being actively exploited. This flaw, identified as CVE-2025-8088, has a high severity rating of 8.8 on the CVSS scale, indicating its potential for significant impact.
Understanding the Vulnerability
This vulnerability is characterized as a path traversal issue affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code through the creation of malicious archive files. According to an advisory from WinRAR, previous versions of the software, as well as related utilities like RAR, UnRAR, and UnRAR.dll, could be manipulated into extracting files from unintended paths, leading to serious security risks.
Discovery and Patch Release
ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek discovered and reported this security defect. In response, WinRAR issued a patch in version 7.13 on July 31, 2025, effectively mitigating the risk associated with CVE-2025-8088.
As of now, it remains unclear how this vulnerability is being utilized in real-world attacks. A similar vulnerability discovered in 2023 (CVE-2023-38831) saw significant exploit activity, particularly by threat actors from China and Russia.
Ongoing Threat Landscape
A recent report from the Russian cybersecurity company BI.ZONE highlighted that the hacker group known as Paper Werewolf, also referred to as GOFFEE, might be leveraging CVE-2025-8088 along with another vulnerability (CVE-2025-6218) that was patched in June 2025.
Suspicion arose when it was reported that a threat actor named “zeroplayer” attempted to sell an alleged exploit for this flaw on the dark web for a staggering $80,000. It is believed that the Paper Werewolf group could have acquired this exploit to facilitate their attacks.
Attack Mechanisms
In earlier advisories, WinRAR cautioned users that by utilizing specially crafted archives, malicious actors could manipulate file paths during the extraction process. This manipulation can lead to files being extracted outside their intended directories, potentially allowing harmful files to infiltrate sensitive system locations such as the Windows Startup folder. Executing these malicious files could result in unintended consequences during system login.
BI.ZONE’s report suggests that Russian entities were targeted through phishing emails that contained booby-trapped archives. These attacks utilized both the newly discovered CVE-2025-8088 and the existing CVE-2025-6218 vulnerabilities to achieve unauthorized code execution. Victims were often distracted by decoy documents while the real threats were executing behind the scenes.
Technical Insights into the Vulnerability
This vulnerability arises from how RAR archives can incorporate files with alternative data streams that include relative paths. During the unpacking process, this data could be written to arbitrary directories on the disk, constituting a directory traversal attack. The affected versions of WinRAR extend up to 7.12; however, version 7.13 effectively resolves this issue.
One of the notable payloads associated with these attacks is a .NET loader. This loader is designed to extract system information and establish communication with an external server for further malware deployment, which may include encrypted .NET assemblies.
Related Security Updates in the Industry
In parallel, 7-Zip recently patched a separate but related vulnerability (CVE-2025-55188, CVSS score: 2.7) that allows for arbitrary file writes due to improper handling of symbolic links during the extraction process. This vulnerability could potentially lead to unauthorized access or code execution, particularly on Unix systems, but can also affect Windows systems with certain prerequisites in place.
Security researchers have indicated that exploiting this flaw could result in jeopardizing critical files such as SSH keys or .bashrc configurations, making this a noteworthy concern for users across multiple platforms.
Conclusion
The situation surrounding WinRAR and the vulnerabilities that have surfaced highlights the importance of maintaining updated software to safeguard against emerging threats. Users are urged to update to the latest version to mitigate these risks effectively. While the cybersecurity landscape remains fraught with challenges, staying informed and proactive can significantly enhance protection against potential exploits.
