WinRAR vulnerability exploited in malware campaigns
Take action: If you use WinRAR, update it to version 7.13 or later from the official WinRAR, because hackers are sending malicious archive attachments and if you open them you are hacked. Also, be very careful with any RAR file attachments in emails, especially unexpected ones.
Learn More
WinRAR has patched a security vulnerability that was actively exploited as a zero-day in phishing attacks by Russian-linked cybercriminals.
The vulnerability is tracked as CVE-2025-8088 (CVSS score 9.8), is a directory traversal flaw that allows attackers to execute arbitrary code on affected systems. It enables writing files to arbitrary locations on the system when extracting archive contents, potentially leading to complete compromise of affected WinRAR installations.
Attackers exploit this flaw by creating malicious archives that extract executables into autorun paths, such as the Windows Startup folder, enabling automatic execution upon user login and achieving remote code execution capabilities.
ESET researchers noted spearphishing emails containing RAR file attachments that exploited CVE-2025-8088 to deliver RomCom backdoors.
Affected Versions are all WinRAR versions prior to 7.13
WinRAR version 7.13 and later versions are patched against this vulnerability. Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, as well as RAR for Android, are not affected by this particular vulnerability.
It is strongly recommended that all users manually download and install the latest version from the official WinRAR. Organizations that cannot immediately upgrade should restrict rar email attachments and educate users about the risks of opening unexpected archive files.
