• Cyber Syrup
  • Posts
  • WinRAR Zero-Day Vulnerability Exploited in Targeted Attacks

WinRAR Zero-Day Vulnerability Exploited in Targeted Attacks

The maintainers of WinRAR, a widely used file archiving utility, have released an urgent update to address a zero-day vulnerability that has been actively exploited in the wild

August 12, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

The Daily Newsletter for Intellectually Curious Readers

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

WinRAR Zero-Day Vulnerability Exploited in Targeted Attacks

The maintainers of WinRAR, a widely used file archiving utility, have released an urgent update to address a zero-day vulnerability that has been actively exploited in the wild.

Tracked as CVE-2025-8088 (CVSS score: 8.8), the flaw involves a path traversal issue in the Windows version of WinRAR, which could allow attackers to execute arbitrary code by crafting malicious archive files.

Technical Details of CVE-2025-8088

When extracting files, affected versions of WinRAR could be tricked into following a maliciously crafted file path within an archive rather than the intended extraction path. This opens the door for:

  • Writing files outside the target directory

  • Planting malicious files in sensitive system locations

  • Executing arbitrary code on the victim’s system

The vulnerability affects:

  • WinRAR (Windows versions)

  • RAR and UnRAR utilities

  • Portable UnRAR source code

  • UnRAR.dll

The issue was discovered and reported by Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET and has been patched in WinRAR version 7.13 (released July 31, 2025).

Exploitation in the Wild

This marks the second year in a row that a WinRAR zero-day has been weaponized. In 2023, CVE-2023-38831 was heavily exploited by Chinese and Russian threat actors.

Russian cybersecurity firm BI.ZONE reported that the Paper Werewolf threat group (aka GOFFEE) likely exploited CVE-2025-8088 in combination with another flaw, CVE-2025-6218, patched in June 2025.

Attackers reportedly:

  1. Sent phishing emails containing booby-trapped archives.

  2. Exploited both vulnerabilities to write files outside intended directories.

  3. Achieved code execution while displaying a decoy document to the victim.

Link to Dark Web Sales

Before these attacks, a threat actor known as “zeroplayer” was observed advertising a WinRAR zero-day exploit on the Exploit.in forum for $80,000. Investigators suspect that Paper Werewolf may have purchased and deployed it.

Attack Methodology

The flaw could be exploited through alternative data streams within a RAR archive whose names include relative paths. When unpacked, these streams could write arbitrary payloads to system directories, such as the Windows Startup folder, ensuring execution upon the next login.

One observed malicious payload was a .NET loader capable of:

  • Gathering system information (e.g., computer name)

  • Sending details to a command-and-control (C2) server

  • Downloading and executing additional malware via reverse shell communication

Mitigation and Recommendations

  • Update immediately to WinRAR 7.13 or later.

  • Avoid opening archives from untrusted sources.

  • Use endpoint protection capable of detecting malicious archive behaviors.

  • Implement email filtering to block suspicious attachments.

WinRAR’s maintainers emphasize that versions up to and including 7.12 are vulnerable and that updating is the most effective protection.