CVE-2025-8088 – WinRAR Path Traversal Exploit

Executive Summary

CVE-2025-8088 is a high-severity path traversal flaw in WinRAR for Windows (≤ 7.12). Exploited as a zero-day by Russian APT groups RomCom and Paper Werewolf, the bug allows arbitrary file placement and execution when victims open malicious RAR archives.

• CVSS: 8.4 (high)
• Affected Products: WinRAR ≤ 7.12, UnRAR.dll, portable UnRAR code (Windows only)
• Impact: Remote code execution, persistence via autorun folders
• Patch: Fixed in WinRAR 7.13 (July 30, 2025)
• Urgency: CISA mandates federal patching by Sep 2, 2025

---

Vulnerability Overview

The flaw stems from improper validation of file paths during RAR extraction. Attackers craft archives with ..\ sequences and Alternate Data Streams (ADSes) to bypass directory restrictions.

• Files can be silently written into Startup or other sensitive directories.
• Malicious payloads (DLL, EXE, LNK, scripts) auto-execute on login.
• Linux and Android builds are not affected.

---

Attack Vector

• Delivered via phishing campaigns disguised as job applications, government forms, or resumes.
• Decoy files (e.g., resume.txt) mask hidden malicious payloads in ADS.
• On extraction, payloads land in autorun folders, ensuring persistence and remote access.

---

Exploitation Status

• In the Wild: Active exploitation confirmed since July 18, 2025.
• Actors: RomCom (Storm-0978) and Paper Werewolf (GOFFEE).
• Campaigns: Financial, defense, logistics, manufacturing targets in Europe, Canada, Russia, Uzbekistan.
• Dark Web: Exploit sold for ~$80,000 prior to attacks.
• PoC: Multiple GitHub proofs-of-concept published.
• CISA KEV: Added with mandatory patch deadline.

---

Mitigation Steps

1. Patch Immediately – Update to WinRAR 7.13 or later across all systems.
2. File Hunts – Scan for suspicious .lnk, .exe, .dll in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
3. Process Monitoring – Flag abnormal process launches tied to archive extraction.
4. Controls – Restrict executable launches from %TEMP% and user-writable directories.
5. Email Security – Sandbox RAR archives; block untrusted archive attachments.
6. User Awareness – Train staff to treat unexpected RAR job applications as suspect.

---

High-Risk Indicators

Indicator Type: File Path
Value: ..\Startup\malware.lnk
Confidence: High

Indicator Type: Hash
Value: 45d7a1c99f2b3b48b1cfd88a9d9a1a33 (example RomCom LNK)
Confidence: Medium

Indicator Type: Process Behavior
Value: Archive extraction → Startup autorun injection
Confidence: High

Executive Summary

CVE-2025-8088 is a high-severity path traversal flaw in WinRAR for Windows (≤ 7.12). Exploited as a zero-day by Russian APT groups RomCom and Paper Werewolf, the bug allows arbitrary file placement and execution when victims open malicious RAR archives.

• CVSS: 8.4 (high)
• Affected Products: WinRAR ≤ 7.12, UnRAR.dll, portable UnRAR code (Windows only)
• Impact: Remote code execution, persistence via autorun folders
• Patch: Fixed in WinRAR 7.13 (July 30, 2025)
• Urgency: CISA mandates federal patching by Sep 2, 2025

---

Vulnerability Overview

The flaw stems from improper validation of file paths during RAR extraction. Attackers craft archives with ..\ sequences and Alternate Data Streams (ADSes) to bypass directory restrictions.

• Files can be silently written into Startup or other sensitive directories.
• Malicious payloads (DLL, EXE, LNK, scripts) auto-execute on login.
• Linux and Android builds are not affected.

---

Attack Vector

• Delivered via phishing campaigns disguised as job applications, government forms, or resumes.
• Decoy files (e.g., resume.txt) mask hidden malicious payloads in ADS.
• On extraction, payloads land in autorun folders, ensuring persistence and remote access.

---

Exploitation Status

• In the Wild: Active exploitation confirmed since July 18, 2025.
• Actors: RomCom (Storm-0978) and Paper Werewolf (GOFFEE).
• Campaigns: Financial, defense, logistics, manufacturing targets in Europe, Canada, Russia, Uzbekistan.
• Dark Web: Exploit sold for ~$80,000 prior to attacks.
• PoC: Multiple GitHub proofs-of-concept published.
• CISA KEV: Added with mandatory patch deadline.

---

Mitigation Steps

1. Patch Immediately – Update to WinRAR 7.13 or later across all systems.
2. File Hunts – Scan for suspicious .lnk, .exe, .dll in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
3. Process Monitoring – Flag abnormal process launches tied to archive extraction.
4. Controls – Restrict executable launches from %TEMP% and user-writable directories.
5. Email Security – Sandbox RAR archives; block untrusted archive attachments.
6. User Awareness – Train staff to treat unexpected RAR job applications as suspect.

---

High-Risk Indicators

Indicator Type: File Path
Value: ..\Startup\malware.lnk
Confidence: High

Indicator Type: Hash
Value: 45d7a1c99f2b3b48b1cfd88a9d9a1a33 (example RomCom LNK)
Confidence: Medium

Indicator Type: Process Behavior
Value: Archive extraction → Startup autorun injection
Confidence: High