What is CVE-2025-8088?

It is a high-severity path traversal vulnerability in WinRAR that allows attackers to write files to arbitrary locations on a system using Alternate Data Streams.

How does the WinRAR exploit work?

Attackers hide malicious files inside archives. When the archive is opened, the software uses directory traversal to drop a payload into the Windows Startup folder, ensuring it runs when the user logs in.

Which groups are using this vulnerability?

Russian groups like APT44 and Turla, Chinese actors, and various financially motivated criminal groups are actively exploiting this flaw.

How can I protect my organization?

Update WinRAR to version 7.13 or later immediately and use security tools like Google Safe Browsing to block malicious files.

What is the role of 'zeroplayer' in these attacks?

Zeroplayer is an underground exploit supplier who advertised the WinRAR exploit, making it available to a wide range of threat actors.

Attack

WinRAR Path Traversal Bug Actively Exploited in New Campaign

published: Jan. 28, 2026

Take action: This is important and urgent! If you use WinRAR, update it to version 7.13 or later from the official WinRAR, because hackers are sending malicious archive attachments and if you open them you are hacked. Also, be very careful with any RAR file attachments in emails, especially unexpected ones.

Learn More

WinRAR users are under repeated attack from state-backed and criminal groups using a path traversal flaw.

The bug, CVE-2025-8088 (CVSS score 9.8), lets attackers hide files in archives and drop them into sensitive folders. It was already exploited during 2025.

RARLAB fixed the issue in July 2025 with WinRAR 7.13, but many systems still run old versions. According to a Google Threat Intelligence report, this flaw has become a favorite tool for both spies and thieves.

The attack uses Alternate Data Streams (ADS) to hide malicious code inside normal files like PDFs. When a user opens the archive, the software writes a hidden file to the Windows Startup folder. This trick uses special characters to escape out of the folder where the file should be.

For example, a file within the RAR archive might have a composite name like innocuous.pdf:malicious.lnk combined with a malicious path: ../../../../../Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malicious.lnk.

The malicious file then runs automatically the next time the user logs in. This method bypasses basic security checks and relies on users not noticing extra files being created during extraction.

Russian groups like APT44 and Turla use this bug to target the Ukrainian military. They send emails with fake documents about drone flights or army units to trick staff into opening archives. Chinese groups also use the flaw to install the POISONIVY malware. These groups like using known bugs because they know many people forget to update their software, giving them an easy way into government and military systems.

Criminals also use the flaw to steal money and data. One group targets hotels in Latin America to install tools that let them control computers from far away. Another group targets Brazilian banks by installing fake browser tools that steal login names and passwords.

Organizations must update WinRAR and watch for new files appearing in startup folders to stop these attacks.

WinRAR Path Traversal Bug Actively Exploited in New Campaign

Read More
Researchers detect hackers exploiting flaw in Cisco Small …
CISA warns of active exploitation of three years …
Microsoft reports active exploitation of Paragon Partition Manager …
ShinyHunters Exploits Salesforce Misconfigurations to Target 100 High-Profile …
Critical remote code execution flaw in Sneeit Framework …