Recently uncovered WinRAR vulnerability associated with Russian cyber-intrusion group, enables installation of covert malware - zero-day assault necessitates manual update to rectify issue
Cybersecurity experts have issued a warning about a critical directory traversal vulnerability, CVE-2025-8088, in WinRAR software that is currently being exploited by the cybercrime group RomCom. This group, also known as Storm-0978, Tropical Scorpius, Void Rabisu, or UNC2596, is using this flaw to deliver malware silently to targeted organisations, primarily in Europe and Canada, but also expanding its reach to the U.S. and internationally.
The vulnerability allows attackers to deposit malicious files into unintended locations, such as the user-specific startup folder at , or the system-wide startup folder at . By placing executable files in startup folders, this enables persistence and remote code execution upon system reboot.
RomCom has been distributing malicious RAR archives disguised as job application documents via spear-phishing emails. They have deployed multiple sophisticated payloads using this vulnerability, including the Mythic agent, SnipBot variant, and MeltingClaw (RustyClaw) downloader.
The flaw exploits path traversal via alternate data streams in WinRAR and related components (including UnRAR.dll, the Windows command line utilities, and portable UnRAR source code). This lets attackers conceal malicious DLL and LNK files within archives that get silently extracted to arbitrary locations.
WinRAR has released a patched version 7.13 on July 30, 2025, fixing this flaw. Users of WinRAR and related tools are advised to immediately update to version 7.13 or later to protect against this threat. Due to the stealth and persistence techniques used by RomCom, defense in depth is advised, including being cautious with unsolicited email attachments, especially RAR archives from unknown senders, using endpoint protection that can detect malicious behaviour or block untrusted DLL/LNK files from system folders, and monitoring system startup folder content and unexpected network activity indicative of backdoor communication.
It is important to note that Unix versions of RAR, UnRAR, portable UnRAR source code, UnRAR library, and RAR for Android are safe from this exploit. A similar directory traversal flaw, CVE-2025-6218, was spotted back in June by independent security researcher "whs3-detonator". However, this vulnerability does not appear to be currently being exploited in the wild.
In summary, the RomCom group is actively exploiting CVE-2025-8088 in WinRAR to infiltrate targeted organisations via malicious archives. Windows users must immediately install the latest WinRAR update (v7.13 or higher) and employ strong email and endpoint defenses to mitigate this sophisticated threat.
- Due to the ongoing exploitation of the critical directory traversal vulnerability, CVE-2025-8088, in WinRAR software by the cybercrime group RomCom, it is essential to boost cybersecurity measures and stay updated on general-news related to technology, crime-and-justice.
- In the current technology landscape, where cyber threats such as CVE-2025-8088 are being actively exploited, it is vital for organizations to prioritize their cybersecurity, including regular updates of software and increased vigilance against spear-phishing emails and suspicious file attachments like RAR archives.
