WinRAR Vulnerability Widely Exploited to Deploy Remote Access Tools

The recent exploitation of a long-standing WinRAR vulnerability has raised significant concerns among cybersecurity experts. The flaw, officially assigned CVE-2025-8088, is a path traversal vulnerability affecting the Windows version of the popular decompression tool.

Vulnerability Details and Impact

WinRAR addressed CVE-2025-8088 in version 7.13, released on July 30, 2023. This vulnerability has received a CVSS v3.1 score of 8.8, indicating its severity.

Shortly after the patch was released, security researchers from ESET discovered that various groups, including Russia-aligned actors, exploited this flaw as a zero-day. These groups, such as RomCom, are reportedly targeting military and governmental entities.

Continued Exploitation

As of late January 2024, reports from the Google Threat Intelligence Group (GTIG) confirm that multiple hacking groups are still actively abusing the vulnerability. They’re using Windows’ Alternate Data Streams (ADS) feature to conceal malware.

• Attackers create malicious RAR archives containing a decoy file.
• When opened in a vulnerable version of WinRAR, malware is executed and can write files to arbitrary system locations.

Targeted Sectors and Methods

According to GTIG, various government-backed groups are focusing their attacks primarily on:

• Military and government organizations, particularly in Ukraine.
• Commercial entities, including sectors like hospitality and travel.
• Users in Brazil targets using banking credentials.

The RomCom group, known for both ransomware and espionage, utilizes geopolitical lures to exploit this vulnerability. Additionally, a Chinese group is leveraging it to deploy PoisonIvy, a Remote Access Trojan (RAT), through a BAT file placed in the Startup folder.

Financial Motivations Behind the Exploits

Several financially motivated criminal gangs are also capitalizing on CVE-2025-8088. These groups employ various tactics to deliver RATs and credential-stealing malware.

Market for Exploits

A criminal known as “zeroplayer” has been actively selling zero-day exploits, including the WinRAR vulnerability, on cybercrime forums. In June 2023, they advertised the WinRAR exploit for a staggering $80,000.

GTIG states that zeroplayer continues to offer various exploits, including:

The ongoing exploitation of CVE-2025-8088 underscores the critical need for software updates and vigilance against potential cybersecurity threats. As these vulnerabilities continue to be exploited, organizations and individuals must stay informed and proactive in their cybersecurity measures.