Urgent patch released for WinRAR zero-day under active exploit

A critical zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, has been actively exploited in targeted cyber-espionage operations, primarily against organisations in Europe and Canada.

 

The flaw, a path traversal vulnerability, allows malicious RAR archives to place files in sensitive system directories such as the Windows Startup folder. This enables attackers to gain persistence by ensuring their malware executes automatically on system start-up.

 

Security researchers at ESET attribute the activity to the Russia-aligned RomCom group, which has previously demonstrated a strong capability for leveraging zero-days. In this campaign, attackers sent spear-phishing emails carrying booby-trapped RAR files disguised as legitimate documents, such as job applications.

 

When extracted, these files deployed backdoors and downloaders including SnipBot and RustyClaw, enabling remote command execution and the delivery of additional payloads. Victims included targets in the financial, defence, manufacturing, and logistics sectors.

 

RARLAB has issued an urgent patch in WinRAR 7.13, addressing the flaw. As the application does not auto-update, users and organisations are strongly advised to update immediately.

 

The incident highlights the enduring risks within the software supply chain, even trusted tools can be weaponised if left unpatched. Security teams are urged to pair timely patching with user training to recognise phishing lures, particularly in high-value sectors.