A critical path traversal vulnerability in WinRAR, tracked as CVE-2025-8088, has been actively exploited in the wild, allowing attackers to execute arbitrary code on Windows systems. This zero-day flaw, with a CVSS score of 8.8, was exploited before its disclosure on August 8, 2025, and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of August 12, 2025.
The vulnerability, identified by ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček, affects the Windows version of WinRAR. It involves a path traversal issue that can be triggered by specially crafted archive files, enabling attackers to execute malicious code. The exploitation of this flaw has been linked to the distribution of the RomCom malware, a persistent threat that has been used in various cybercriminal campaigns.
Reports indicate that the vulnerability has been leveraged in phishing attacks, where malicious actors distribute compromised archive files to unsuspecting users. Once opened, these files exploit the vulnerability to install malware on the victim's system, often without detection. The RomCom malware, in particular, has been observed using this method to gain startup persistence, ensuring it remains active even after system reboots.
The exploitation of CVE-2025-8088 has not been limited to indiscriminate attacks. Check Point Research has highlighted its use in targeted espionage campaigns, particularly in Southeast Asia. These campaigns, attributed to a group dubbed "Amaranth-Dragon," have focused on gathering intelligence from specific targets, underscoring the vulnerability's appeal to both cybercriminals and state-sponsored actors.
Google has issued warnings about the active exploitation of this vulnerability, emphasizing the need for immediate attention from organizations using WinRAR. The availability of at least 31 proof-of-concept exploits further increases the risk, as it lowers the barrier for attackers to leverage this flaw.
In response to the threat, security experts recommend that users and organizations update to the latest version of WinRAR, which addresses this vulnerability. Additionally, implementing robust email filtering and user education can help mitigate the risk of phishing attacks that exploit this flaw.
The exploitation of CVE-2025-8088 highlights the ongoing challenges posed by zero-day vulnerabilities, particularly in widely used software like WinRAR. As attackers continue to innovate and exploit such flaws, it is crucial for organizations to maintain vigilant patch management and threat detection practices to protect their systems from emerging threats.
CSURFACE