WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately

Aug 11, 2025Ravie LakshmananZero-Day / Vulnerability

The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability.

Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files.

“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of a specified path,” WinRAR said in an advisory.

Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET have been credited for discovering and reporting the security defect, which has been addressed in WinRAR version 7.13 released on July 31, 2025.

It’s currently not known how the vulnerability is being weaponized in real-world attacks, and by whom. In 2023, another vulnerability affecting WinRAR (CVE-2023-38831, CVSS score: 7.8) came under heavy exploitation, including as a zero-day, by multiple threat actors from China and Russia.

Russian cybersecurity vendor BI.ZONE, in a report published last week, said there are indications that the hacking group tracked as Paper Werewolf (aka GOFFEE) may have leveraged CVE-2025-8088 alongside CVE-2025-6218, a directory traversal bug in the Windows version of WinRAR that was patched in June 2025.

It’s important to note that prior to these attacks, a threat actor identified as “zeroplayer” was spotted advertising on July 7, 2025, an alleged WinRAR zero-day exploit on the Russian-language dark web forum Exploit.in for a price tag of $80,000. It’s suspected that the Paper Werewolf actors may have acquired it and used it for their attacks.

“In previous versions of WinRAR, as well as RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code for Windows, a specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction,” WinRAR said in an alert for CVE-2025-6218 at the time.

“User interaction is required to exploit this vulnerability, which could cause files to be written outside the intended directory. This flaw could be exploited to place files in sensitive locations – such as the Windows Startup folder – potentially leading to unintended code execution on the next system login.”

The attacks, per BI.ZONE, targeted Russian organizations in July 2025 via phishing emails bearing booby-trapped archives that, when launched, triggered CVE-2025-6218 and likely CVE-2025-8088 to write files outside the target directory and achieve code execution, while a decoy document is presented to the victim as a distraction.

“The vulnerability is related to the fact that when creating a RAR archive, you can include a file with alternative data streams, the names of which contain relative paths,” BI.ZONE said. “These streams can contain arbitrary payload. When unpacking such an archive or opening an attached file directly from the archive, data from the alternative streams is written to arbitrary directories on the disk, which is a directory traversal attack.”

“The vulnerability affects WinRAR versions up to and including 7.12. Starting with version 7.13, this vulnerability is no longer reproduced.”

One of the malicious payloads in question is a .NET loader that’s designed to send system information to an external server and receive additional malware, including an encrypted .NET assembly.

“Paper Werewolf uses the C# loader to get the victim’s computer name and send it in the generated link to the server to get the payload,” the company added. “Paper Werewolf uses sockets in the reverse shell to communicate with the control server.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!