Hackers Exploit WinRAR Path Traversal Vulnerability

Security experts have identified a significant vulnerability, CVE-2025-8088, affecting WinRAR. This high-severity flaw enables attackers to exploit path traversal techniques. They leverage Alternate Data Streams (ADS) to install malicious files in arbitrary locations on systems.

The cybersecurity company ESET first reported on this issue in early August 2025. They noted that both state-sponsored and financially motivated threat actors began targeting this vulnerability as early as July 18, 2025. The insights come from a report by the Google Threat Intelligence Group (GTIG), highlighting ongoing exploitation.

Details of the Vulnerability

The core issue with CVE-2025-8088 lies in its path traversal capability. Attackers typically conceal malicious files within decoy documents stored in an archive. Common formats used as decoys include PDFs. When users extract these files, the hidden payloads activate, often dropping various executable scripts such as LNK, HTA, BAT, or CMD files.

Targeted Groups and Attack Techniques

The following threat actor groups are notably exploiting this vulnerability:

• UNC4895 (RomCom/CIGAR) – Uses spearphishing tactics targeting Ukrainian military units with the NESTPACKER malware.
• APT44 (FROZENBARENTS) – Deploys malicious LNK files with Ukrainian-themed decoys for additional downloads.
• TEMP.Armageddon (CARPATHIAN) – Inserts HTA downloaders into Windows Startup folders.
• Turla (SUMMIT) – Distributes the STOCKSTAY malware suite using themes related to the Ukrainian army.
• China-linked actors – Utilize this exploit to run POISONIVY via BAT files that retrieve further payloads.

Alongside these state-sponsored threats, financially motivated cybercriminals are also leveraging the WinRAR vulnerability. They are distributing common remote access tools and information stealers, including XWorm and AsyncRAT.

The Commoditization of Exploit Development

The rise of exploit development has been facilitated by specialized suppliers, such as the individual using the alias “zeroplayer.” This entity successfully advertised a WinRAR exploit last July, indicating a shift toward the commoditization of hacking tools. Other exploits marketed by this threat actor include zero-days impacting Microsoft Office and corporate VPN systems, with prices ranging from $80,000 to $300,000.

This trend reflects a significant transformation in the cyberattack landscape. It reduces complexity for attackers and improves their ability to target unpatched systems quickly.

As organizations prepare for the upcoming year, over 300 Chief Information Security Officers (CISOs) and security leaders have shared their strategies for budgeting and prioritization. A report compiling these insights offers valuable benchmarks and emerging trends for 2026.