WinRAR is perhaps best known for its endless “please pay” prompt, even though you could keep using it for free indefinitely. It remains one of the most popular unarchiving tools available on Windows; however, it has recently seen a significant vulnerability.
A newly discovered WinRAR zero-day vulnerability is being actively exploited, according to ESET Security Researchers, who found the vulnerability. Tracked as CVE-2025-8088, the flaw has been linked to a Russian-aligned hacking group known as RomCom, which has a history of targeting governments, infrastructure, and non-governmental organizations.
Here’s what you need to know about the exploit – and what to do if you still use WinRAR.
How the WinRAR zero-day vulnerability works
The flaw works by letting hackers place files on your computer in locations they usually find difficult to access. It’s known as a directory traversal flaw, which means malicious files can be extracted outside of the folder you choose.
It’s officially tracked as CVE-2025-8088 and affects only specific versions of WinRAR, with Windows PCs being the primary target. Specifically, versions before 7.13. This also comes after another exploit was found earlier in the year, CVE-2025-31334, which affected versions prior to 7.11 that allowed attackers to bypass Windows Mark of the Web security warning function.
The exploit lets attackers place files in system paths that can be used to harm your computer, including locations that make those files run automatically when the system starts.
Once in place, the malicious files can operate silently in the background, allowing hackers to execute commands remotely after a reboot. According to ESET, RomCom has used this flaw to deliver spyware and other malicious programs, including SnipBot, RustyClaw, and Mythic Agent. The group was actively exploiting the bug before it was patched.
The Russian-linked hacking group behind the attacks
RomCom, also tracked as Storm-0978, is a hacking group with links to Russian cybercrime and cyber-espionage operations. They first appeared in mid-2022, targeting governments, energy, military, and water infrastructure in Ukraine.
Since then, it has broadened its focus to include organizations in the U.S., Europe, and other regions involved in Ukraine-related humanitarian efforts. They have also been linked to attacks on zero-day vulnerabilities found in Firefox and Windows.
The group is known for adapting its malware and delivery methods quickly, exploiting any vulnerabilities it can find. It often relies on spear-phishing campaigns, sending targeted emails designed to look legitimate and persuade recipients to open malicious attachments.
In the case of CVE-2025-8088, these emails typically carried RAR archives disguised as job applications, government documents, or other official files. When opened, the archive would extract backdoor malware onto the system, giving attackers remote access. RomCom also customizes its lures to match a target’s work or interests, making the deception even more challenging to spot.
Why you need to update manually
WinRAR doesn’t automatically update, so you’ll need to install the latest version yourself. The fix for this flaw arrived with version 7.13, and anyone running an older release is still at risk.
Updating is quick and straightforward, but it’s important to act now, as attackers are already exploiting the bug. Alongside CVE-2025-8088 and CVE-2025-31334, recent months have seen other archive-related vulnerabilities, including CVE-2025-6218, the latter two discovered in recent months.
Keeping WinRAR up to date not only protects you from these known flaws but also reduces the risk of falling victim to future vulnerabilities.
#CVE20258088 #WinRAR #Flaw #Hackers #Exploiting
