Introduction
It’s early August 2025. WinRAR, one of the world’s most ubiquitous file‑compression tools, has just stumbled into the limelight not for its compression efficiency, but for a critical security flaw. A zero‑day vulnerability, officially registered as CVE‑2025‑8088, has been weaponised in targeted cyberattacks. With no automatic updater, millions of installations worldwide remain exposed unless users take proactive action.
In this article, we’ll explore the discovery, mechanics and consequences of CVE‑2025‑8088; the cyber‑criminal groups exploiting it (RomCom and Paper Werewolf); the patch that stopped the bleeding; and what this means for software security at large.
1. Discovery and Responsible Disclosure
Security researchers at ESET detected anomalies between 18 and 21 July 2025, pinpointing suspicious file‑path behaviour in RAR archives bearing what first appeared to be innocuous Microsoft Edge DLLs (e.g., msedge.dll). Further analysis revealed a previously unknown directory‑traversal flaw in Windows versions of WinRAR affecting not just WinRAR itself, but also UnRAR.dll, command‑line utilities and portable UnRAR code.
ESET notified the WinRAR developers on 24 July, and by 30 July, WinRAR version 7.13 (Final) was released to patch the vulnerability.
2. Anatomy of the Flaw: How CVE-2025-8088 Works
At its core, CVE‑2025‑8088 is a path‑traversal vulnerability. By abusing Windows Alternate Data Streams (ADS), attackers could craft archive entries that don’t extract to the intended directory, but instead place executables into sensitive locations like:
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
Once the user logs in again, these executables run automatically, triggering remote code execution without further user interaction.
The CVSS 4.0 score stands at 8.4 (High), according to ESET and confirmed in Nessus reporting.
3. Threat Actors: RomCom and Paper Werewolf
RomCom
RomCom, also known by names like Storm-0978, Tropical Scorpius, or UNC2596, is a Russian-linked cybercrime group notorious for using zero-days. In this case, they deployed spear-phishing campaigns carrying malicious RAR attachments disguised as job applications or CVs. Upon extraction with a vulnerable WinRAR, the payloads such as backdoors SnipBot, RustyClaw, or Mythic agent—were quietly installed.
Paper Werewolf (aka GOFFEE)
A second group, Paper Werewolf (aka GOFFEE), was separately confirmed by BI.ZONE to be leveraging the same vulnerability and potentially even CVE‑2025‑6218, another path‑traversal flaw patched in June 2025. Researchers suspect that the exploit might have been sold on a cybercrime forum in late June for around US $80,000.
4. Timeline at a Glance
| Date | Event |
|---|---|
| 18–21 July 2025 | ESET first notes exploitation in the wild |
| 24 July 2025 | ESET notifies WinRAR developers |
| 30 July 2025 | WinRAR v7.13 Final released to address CVE‑2025‑8088 |
| 12 August 2025 | CISA adds CVE‑2025‑8088 to its Known Exploited Vulnerabilities (KEV) catalog |
| Early August 2025 | Public reporting emerges, urging users to update immediately |
CISA’s inclusion under Binding Operational Directive 22‑01 means federal agencies must remediate the vulnerability by 2 September 2025.
5. The Patch and Limitations
While WinRAR acted swiftly, there’s a significant caveat: WinRAR lacks an automatic updater, meaning users must deliberately download and install version 7.13. This delay in uptake leaves broad swathes of installations sitting ducks.
Affected components include:
- WinRAR for Windows (pre‑7.13)
- UnRAR.dll and related utilities
- Any software bundling WinRAR’s components (e.g., third‑party tools)
Unix and Android versions remain unaffected.
6. Consequences & Recommendations
Consequences of exploitation:
- Stealthy backdoor installation
- Data theft, credential harvesting, lateral movement
- Deployment of data‑destruction tools or ransomware via double‑extortion tactics
Recommendations for users and organisations:
- Immediate update to WinRAR v7.13 (or later)
- Scan systems for suspicious files in Startup directories
- Educate users on spear‑phishing traits (job/CV attachments, odd sender addresses)
- Organisations should audit dependencies ensure no bundled vulnerable UnRAR libraries remain in use.
- Enable security tools (e.g., antivirus/EDR) to flag archived malware or startup anomalies
- Include this as a case study in their vulnerability management plans, noting the lack of auto‑patching as a risk factor
CISA’s urgent inclusion of CVE‑2025‑8088 in the KEV catalogue underscores its criticality.
7. Broader Reflections: What This Tells Us About Software Security
- Auto-update absence is a liability. WinRAR’s lack of automated patching turned a fixable bug into weeks of real-world exploitation.
- Path-traversal flaws remain potent when they target startup folders, adversaries gain persistence at logon.
- Zero-days are currency. The exploit’s alleged sale for $80k shows how cybercrime markets speed proliferation.
- Shared code reuse is dangerous. Non-WinRAR software using its components may unknowingly import vulnerabilities.
- Speed of response matters but update uptake matters more. Even swift patches fail if users aren’t informed or motivated to act.
8. Final Thoughts
WinRAR’s stumble with CVE-2025-8088 is a high-impact reminder: even long-standing, trusted software tools can harbour critical vulnerabilities. The exploit’s sophistication and exploitation timeline illustrate how attackers from state-linked espionage groups to financially motivated cyber-criminals can weaponise flaws within days.
For users, especially those in business or infrastructure sectors, the immediate action is simple: update WinRAR now. For developers and organisations, this incident prompts broader security reflection on auto-updates, third-party libraries, and layered cyber-defence strategies.
In a connected digital era, staying abreast of not only threats but also the mechanics of vulnerabilities and ensuring patches reach all users is vital. Let this serve as a wake-up call: vigilance must pair with action.
Thank you for reading. Stay secure, stay informed.