August 14th, 2025

WinRAR for Windows Vulnerability Exploited by Adversary Group RomCom (CVE-2025-8088)

High

Our Cyber Threat Intelligence Unit has identified a high-severity vulnerability in WinRAR for Windows, tracked as CVE-2025-8088. This issue stems from a directory traversal vulnerability that allows attackers to place malicious files outside the intended extraction folder, potentially leading to arbitrary code execution. The threat actor group RomCom (also known as Storm-0978 or Tropical Scorpius) is exploiting this vulnerability in spear-phishing campaigns targeting the government, military, and critical infrastructure sectors. The attack method involves users extracting specially crafted malicious archives, which establish command and control communications; facilitating reconnaissance, lateral movement, and data exfiltration within compromised networks. WinRAR has released a fix in version 7.13, and immediate manual updates are strongly advised to reduce exposure.

Technical Details

Severity: High
CVE-ID: CVE-2025-8088
CVSS Score: 8.8 (CVSS 3.1), 8.4 (CVSS 4.0)
Vulnerability Type: Path Traversal
Components Affected: Windows versions of WinRAR, RAR, UnRAR, Portable UnRAR source code, and UnRAR.dll
Affected Versions: All Windows builds prior to version 7.13

Attack Chain/Method:

Initial Vector: The attack is initiated through spear phishing attacks, where users are tricked into extracting specially crafted malicious archive files.
Exploitation: The vulnerability allows attackers to execute arbitrary code by exploiting a path traversal flaw in the affected software.
Payload Delivery: The malicious payload is delivered through compressed archive files, which are commonly shared in business environments.
Post-Exploitation: Once extracted, the malware initiates command-and-control communications, facilitating reconnaissance, lateral movement, and data exfiltration.
Persistence: The RomCom group has been observed using this flaw to deploy backdoors, granting full remote access to compromised systems.

Impact

Data Security: Risk of data exfiltration, arbitrary code execution, and persistent backdoor deployment, facilitating long-term unauthorized access.
System Availability: Malicious files in autorun directories can cause instability, downtime, and operational disruptions.
Business Operations: Potential for espionage activity and service interruptions may lead to operational inefficiencies, especially for government, military, and critical infrastructure sectors.
Compliance & Financial: Breaches could trigger GDPR/HIPAA violations, regulatory scrutiny, legal penalties, and costs associated with response, recovery, and data loss.
Reputation: Publicized breaches can erode trust, damage brand reputation, and result in customer loss.

Detection Method

Network-Based: Monitor for unusual command-and-control (C2) traffic or data exfiltration, especially following archive extraction.
Host-Based: Scan for malicious archives or files linked to CVE-2025-8088 and watch for unexpected system file or configuration changes.
Behavioral: Flag suspicious archive extractions from unknown sources and detect patterns linked to spear-phishing or social engineering.
Log Analysis: Review security and system logs for signs of arbitrary code execution, lateral movement, or data exfiltration.
Monitoring Recommendations: Continuously monitor archive extraction activity, prioritize those from untrusted sources, and set alerts for C2 or exfiltration attempts.
Tools: Use EDR solutions capable of scanning archive contents before extraction.

Indicators of Compromise

SHA-1	Filename	Detection	Description
371A5B8BA86FBCAB80D4E0087D2AA0D8FFDDC70B	Adverse_Effect_Medical_Records_2025.rar	LNK/Agent.AJN Win64/Agent.GPM	Archive exploiting CVE20258088; found on VirusTotal.
D43F49E6A586658B5422EDC647075FFD405D6741	cv_submission.rar	LNK/Agent.AJN July Win64/Agent.GPM	Archive exploiting CVE20258088.
F77DBA76010A9988C9CEB8E420C96AEBC071B889	Eli_Rosenfeld_CV2 - Copy (10).rar	Win64/Agent.GMQ	Archive exploiting CVE20258088.
676086860055F6591FED303B4799C725F8466CF4	Datos adjuntos sin título 00170.dat	LNK/Agent.AJN Win64/Agent.GPM	Archive exploiting CVE20258088.
1F25E062E8E9A4F1792C3EAC6462694410F0F1CA	JobDocs_July2025.rar	LNK/Agent.AJN Win64/TrojanDownloader.Agent.BZV	Archive exploiting CVE20258088.
C340625C779911165E3983C77FD60855A2575275	cv_submission.rar	LNK/Agent.AJN Win64/Agent.GPM	Archive exploiting CVE20258088.
C94A6BD6EC88385E4E831B208FED2FA6FAED6666	Recruitment_Dossier_July_2025.rar	LNK/Agent.AJN Win64/TrojanDownloader.Agent.BZV	Archive exploiting CVE20258088.
01D32FE88ECDEA2B934A00805E138034BF85BF83	install_module_x64.dll	Win64/Agent.GNV	MeltingClaw
AE687BEF963CB30A3788E34CC18046F54C41FFBA	msedge.dll	Win64/Agent.GMQ	Mythic agent used by RomCom
AB79081D0E26EA278D3D45DA247335A545D0512E	Complaint.exe	Win64/TrojanDownloader.Agent.BZV	RustyClaw
1AEA26A2E2A7711F89D06165E676E11769E2FD68	ApbxHelper.exe	Win64/Agent.GPM	SnipBot variant

IP	Domain	Hosting provider	First seen	Details
162.19.175[.]44	gohazeldale[.]com	OVH SAS	20250605	MeltingClaw C&C server.
194.36.209[.]127	srlaptop[.]com	CGI GLOBAL LIMITED	20250709	C&C server of the Mythic agent used by RomCom.
85.158.108[.]62	melamorri[.]com	HZHOSTINGLTD	20250707	RustyClaw C&C server.
185.173.235[.]134	campanole[.]com	FiberXpress BV	20250718	C&C server of the SnipBot variant.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Patch Management: Immediately update WinRAR to version 7.13 or later across all Windows systems. Regularly check for and apply future updates.
Incident Response: Conduct rapid assessments to identify potential compromise, and review system and security logs for related activity.
Access Controls: Restrict archive-handling privileges to trusted users and disable automatic extraction in email clients or file-handling applications.
Detection & Monitoring:
Deploy updated endpoint protection capable of scanning archives before extraction.
Enhance monitoring for suspicious archive extraction activity, C2 traffic, and unauthorized access attempts.
Implement network segmentation to contain lateral movement.
User Awareness: Provide phishing-awareness training, emphasizing the verification of archive file sources, and encourage prompt reporting of suspicious emails or files.
Security Governance:
Regularly review and update security policies to address evolving threats.
Perform periodic security audits and penetration testing to identify and mitigate weaknesses.

Conclusion

The active exploitation of CVE-2025-8088 in WinRAR highlights how widely used utility software can be weaponized as an initial access vector. Threat intelligence reporting confirms that the RomCom adversary group is actively exploiting this vulnerability in targeted phishing campaigns against government, military, and critical infrastructure sectors, making immediate mitigation essential. We urge organizations using WinRAR on Windows to, apply the version 7.13 update without delay, limit exposure to untrusted archives, and harden phishing defenses.

References

https://cybersecuritynews.com/winrar-0-day-in-phishing-attacks/

https://www.windowscentral.com/software-apps/new-winrar-zero-day-pc-vulnerability-exploited-by-hackers-what-you-need-to-know

https://www.techradar.com/pro/security/winrar-has-a-serious-security-flaw-worrying-zero-day-issue-lets-hackers-plant-malware-so-patch-right-away

https://www.tomshardware.com/tech-industry/cyber-security/newly-discovered-winrar-exploit-linked-to-russian-hacking-group-can-plant-backdoor-malware-zero-day-hack-requires-manual-update-to-fix

https://www.pcgamer.com/software/security/still-using-winrar-it-might-be-time-for-an-update-as-a-zero-day-vulnerability-is-being-exploited-in-the-wild-in-the-guise-of-job-application-documents/

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/