WinRAR Update: Zero-Day Path Traversal Flaw (CVE-2025-8088) Actively Exploited to Deliver Malware

Security researchers at ESET have uncovered a zero-day path traversal vulnerability in the Windows version of WinRAR that has been actively exploited to execute arbitrary code on victims’ systems. Tracked as CVE-2025-8088 and carrying a CVSS v3.1 score of 8.4, this flaw could allow attackers to hijack a user’s extraction process and plant malicious files in unintended system locations.

When extracting files from an archive, vulnerable versions of WinRAR — including previous Windows releases of RAR, UnRAR, the portable UnRAR source code, and UnRAR.dll — could be tricked into using a file path embedded in a specially crafted archive, rather than the user’s chosen destination path.

This opens the door for attackers to:

• Place malicious files in sensitive directories.
• Overwrite critical system or application files.
• Execute arbitrary code upon file extraction without further user interaction.

ESET’s researchers, Anton Cherepanov, Peter Košinár, and Peter Strýček, emphasized that this flaw has already been weaponized in real-world attacks. The exploitation chain starts with a malicious archive delivered via phishing or another social engineering method, which — when extracted — silently places and runs malware.

Who Is Affected

• Affected: Windows versions of WinRAR and related extraction components (RAR, UnRAR, portable UnRAR source code, UnRAR.dll).
• Not affected: Unix versions of RAR/UnRAR, the portable UnRAR source code and library for Unix, and RAR for Android.

ESET confirmed that “this vulnerability was exploited in the wild”, making it a critical concern for both individual users and organizations relying on WinRAR for compressed file handling. Zero-day exploitation means threat actors had access to and leveraged this flaw before a patch was available.

The vulnerability has been fixed in WinRAR 7.13, which is now available from the official WinRAR website. All Windows users are strongly urged to:

• Update immediately to WinRAR 7.13 or later.
• Avoid opening archives from untrusted sources.
• Consider scanning archives with updated endpoint protection before extraction.

Related Posts:

• Warning: Fake WinRar Websites Distributing Malware
• Google TAG Alerts on Exploitation of WinRAR Vulnerability by State-Backed Hackers
• WinRAR Code Execution Vulnerability
• CVE-2025-6218: WinRAR Directory Traversal Bug Opens the Door to Remote Code Execution
• Hackers exploit CVE-2023-38831 zero-day vulnerability in WinRAR

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.