CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Path Traversal Vulnerability in WinRAR Actively Exploited by Multiple Threat Actors

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf and RomCom, have exploited this vulnerability to target various organizations. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware.

Timeline

  1. 11.08.2025 08:54 1 articles · 1mo ago

    WinRAR Path Traversal Vulnerability (CVE-2025-8088) Exploited by Multiple Threat Actors

    A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf and RomCom, have exploited this vulnerability to target various organizations. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware.

    Show sources

Information Snippets

Similar Happenings

Command injection flaw in Libraesva ESG exploited by state actors

Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.

Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware

A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.

Critical deserialization flaw in DELMIA Apriso MOM actively exploited

A critical deserialization vulnerability in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software (CVE-2025-5086) is actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution (RCE) and has been exploited to deliver the Zapchast malware. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. The flaw is actively exploited via malicious SOAP requests to vulnerable endpoints, loading and executing a Base64-encoded, GZIP-compressed .NET executable embedded in the XML. The malicious requests were observed originating from the IP 156.244.33[.]162, likely associated with automated scans. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by October 2, 2025.