WinRAR Zero-Day Vulnerability
The developers behind the popular WinRAR file archiving utility have issued an urgent security update to patch a zero-day vulnerability actively exploited in the wild. Tracked as CVE-2025-8088 with a CVSS score of 8.8, the flaw is a path traversal bug in the Windows version of WinRAR that allows attackers to execute arbitrary code through specially crafted archive files.
The fix was shipped in WinRAR version 7.13, released on July 31, 2025. The vulnerability impacts not only WinRAR but also RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code for Windows.
Table of Contents
How the Exploit Works
The flaw occurs because earlier versions of WinRAR could be tricked into extracting files using a malicious path specified inside the archive rather than the intended extraction path. This behavior can be exploited to place files in sensitive system directories, such as the Windows Startup folder, leading to automatic code execution on the next system login.
The related vulnerability CVE-2025-6218, patched in June 2025, also enabled directory traversal attacks. Threat actors could use both flaws together to manipulate file paths during extraction, write files outside designated folders, and run malicious code while showing a decoy document to distract the victim.
Threat Actor Activity and Dark Web Links
Cybersecurity researchers have linked the recent exploitation of CVE-2025-8088 to the hacking group Paper Werewolf (aka GOFFEE). This group may have paired the flaw with CVE-2025-6218 to launch targeted attacks.
Investigations revealed that on July 7, 2025, a cybercriminal known as 'zeroplayer' advertised an alleged WinRAR zero-day on the Russian-language forum Exploit.in for $80,000. It is suspected that Paper Werewolf obtained this exploit and weaponized it in real-world attacks.
Attack Campaign Details
In July 2025, Russian organizations were targeted through phishing emails containing malicious archives. When victims opened these files, the exploit chain leveraged both vulnerabilities to:
- Write files to directories outside the intended extraction path.
- Trigger code execution without the victim's awareness.
A notable technical detail is that attackers created RAR archives with alternative data streams whose names contained relative paths. These streams carried arbitrary payloads and, when extracted or opened directly from the archive, were written to any chosen directory on the disk.
Payload Capabilities
One of the identified malicious payloads is a .NET-based loader that:
- Collects system information, such as the victim's computer name.
- Sends the data to a remote server.
- Downloads additional malware, including an encrypted .NET assembly.
Paper Werewolf reportedly uses this loader in combination with a reverse shell over sockets, allowing direct communication with their command-and-control infrastructure.
Recommended Action
Users of WinRAR should immediately update to version 7.13 or later to eliminate the risk from CVE-2025-8088 and CVE-2025-6218. Any organization, especially those handling sensitive data, should review email security policies, disable automatic file execution from archives, and monitor for suspicious extraction behavior.
