CVE-2025-8088

What is WinRAR?

WinRAR is one of the world's most widely used file archiving and compression utilities for Windows, with hundreds of millions of users globally. It processes RAR, ZIP, 7-Zip, and many other archive formats. Because users routinely open archives received from email, downloads, and file sharing — often double-clicking without scrutiny — vulnerabilities in WinRAR's extraction engine provide reliable malware delivery vectors. WinRAR has been targeted multiple times for path traversal and code execution vulnerabilities, including CVE-2023-38831 (a highly exploited 2023 zero-day).

Overview

CVE-2025-8088 is a path traversal vulnerability (CWE-35: Path Traversal via ...// sequences) in the Windows version of WinRAR that allows an attacker to write extracted archive contents to arbitrary filesystem locations outside the user-specified extraction directory. A maliciously crafted RAR archive delivered via phishing or web download can write executable payloads to Windows startup folders, PATH directories, or application directories — enabling persistent code execution without explicit user action beyond extracting the archive. ESET researchers discovered the vulnerability and attributed active exploitation to Amaranth Dragon (an APT41-linked Chinese state-sponsored group) and RomCom (a Russian cybercriminal/espionage group).

Affected Versions

Note: Linux, macOS, and Android versions of RAR/WinRAR are not affected — the ...// path traversal is Windows-specific.

Technical Details

The path traversal (CWE-35 — ...//) occurs in WinRAR's archive extraction engine on Windows. An archive entry with a specially crafted filename using ...// path sequences (a variant of ../ that WinRAR on Windows incorrectly processes) causes the extraction to resolve a path that traverses above the designated output directory.

Example attack pattern:

• Archive contains entry: ...//...//Windows/System32/evil.dll
• When extracted to C:\Users\victim\Downloads\, WinRAR traverses up to the filesystem root and writes to C:\Windows\System32\evil.dll
• Attacker places malicious executables in Startup folders, DLL hijacking locations, or service binary paths

The victim only needs to extract the archive — a standard user action. No special permissions are needed for the traversal because WinRAR writes using the user's own privileges, and many directories (user Startup folder, AppData, user-writable application directories) are accessible without admin rights.

Discovery

ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček discovered the vulnerability and attributed exploitation campaigns.

Exploitation Context

Two distinct threat actors exploited CVE-2025-8088:

• Amaranth Dragon (APT41-linked, Chinese state-sponsored): Deployed in espionage operations targeting government and law enforcement organizations. Delivered custom backdoors via WinRAR archive phishing lures.

• RomCom (Russian, financially motivated/espionage): Used in campaigns to install the RomCom backdoor and associated data theft tooling across European and US targets.

CISA added the vulnerability to the KEV catalog four days after the advisory, with a 21-day remediation deadline.

Remediation

1. Update WinRAR to 7.13 Final immediately. WinRAR does not auto-update — users must download 7.13 from the official RARLAB website (win-rar.com). The CISA deadline was September 2, 2025.
2. Verify the WinRAR version via Help → About WinRAR in the application.
3. Block RAR archive execution in email — configure email gateways to quarantine or strip RAR attachments, which have no legitimate use as email attachments for most users.
4. Use the WinRAR preview pane to inspect archive contents before extraction — malicious archives often have suspicious path traversal entries visible in the file list.
5. Apply Windows Defender Attack Surface Reduction (ASR) rules to block untrusted files from running.
6. Hunt for Amaranth Dragon / RomCom indicators if your organization received suspicious RAR archives from July–August 2025: check for unexpected files in startup folders, AppData, and application directories.