Two cyber groups exploit critical WinRAR flaw

The CVE-2025-8088 flaw in WinRAR’s Windows version is a path traversal vulnerability that allowed attackers to use crafted archive files to execute code and drop malicious content into restricted directories, including startup folders

A newly patched vulnerability in the popular file compression tool WinRAR has been exploited by two separate cybercriminal groups in targeted malware campaigns, according to cybersecurity researchers.

The flaw, identified as CVE-2025-8088, is a path traversal vulnerability in the Windows version of WinRAR. It allowed attackers to craft specially designed archive files that could execute arbitrary code and drop malicious files into unauthorized directories on a victim’s system, including startup folders.

The vulnerability was first actively exploited in two distinct campaigns. The first was carried out by a group linked to RomCom, a threat actor believed to be aligned with Russian interests. Between July 18 and 21, RomCom used phishing emails disguised as job applications to target organizations in Europe and Canada across sectors such as finance, manufacturing, defense, and logistics.

The second group, tracked as Paper Werewolf, targeted Russian institutions. This campaign involved phishing emails impersonating employees from a research institute, with attachments falsely claiming to be official ministry communications. These attacks took place in early July, while the vulnerability was still considered a zero-day — unpatched and previously unknown to the public.

WinRAR addressed the issue in version 7.13 Final, released on July 30, 2025, closing the loophole used in these attacks. Security analysts now warn that the vulnerability could see broader exploitation, as technical details become more widely accessible to other threat actors.

Users of WinRAR are strongly urged to update to the latest version immediately. To check the current version, open WinRAR and navigate to Help > About WinRAR.

Security recommendations include keeping software updated, avoiding unsolicited email attachments, downloading programs from trusted sources, and using real-time malware protection.