WinRAR zero-day exploited to plant malware on archive extraction
A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” reads the WinRAR 7.13 changelog.
“Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected.”
Using this vulnerability, attackers can create archives that extract executables into autorun paths, such as the Windows Startup folder located at:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (Local to user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (Machine-wide)
The next time a user logs in, the executable will automatically run, allowing the attacker to achieve remote code execution.
As WinRAR does not include an auto-update feature, it is strongly advised that all users manually download and install the latest version from win-rar.com so they are protected from this vulnerability.
Exploited as a zero-day in attacks
The flaw was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, with Strýček telling BleepingComputer that it was actively exploited in phishing attacks to install malware.
“ESET has observed spearphishing emails with attachments containing RAR files,” Strýček told BleepingComputer.
These archives exploited the CVE-2025-8088 to deliver RomCom backdoors. RomCom is a Russia-aligned group.”
RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian hacking group linked to ransomware and data-theft extortion attacks, along with campaigns focused on stealing credentials.
The group is known for its use of zero-day vulnerabilities in attacks and the use of custom malware for use in data-theft attacks, persistence, and to act as backdoors.
RomCom has previously been linked to numerous ransomware operations, including Cuba and Industrial Spy.
ESET is working on a report regarding the exploitation, which will be published at a later date.
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link