Path Traversal Vulnerability in WinRAR Actively Exploited by Multiple Threat Actors
Summary
Hide ▲
Show ▼
A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf and RomCom, have exploited this vulnerability to target various organizations. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware.
Timeline
-
11.08.2025 08:54 1 articles · 1mo ago
WinRAR Path Traversal Vulnerability (CVE-2025-8088) Exploited by Multiple Threat Actors
A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf and RomCom, have exploited this vulnerability to target various organizations. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware.
Show sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
Information Snippets
-
The vulnerability (CVE-2025-8088) is a path traversal flaw in WinRAR that allows arbitrary code execution.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The flaw affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The vulnerability was discovered by Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The issue was patched in WinRAR version 7.13, released on July 30, 2025.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
Threat actors Paper Werewolf and RomCom have exploited this vulnerability in targeted attacks.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The attacks involve phishing emails with malicious archives that exploit the vulnerability to achieve code execution.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The payloads include a .NET loader that sends system information to an external server and receives additional malware.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The attacks targeted Russian organizations in July 2025, with phishing emails bearing booby-trapped archives.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The vulnerability was also exploited by the RomCom group, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The RomCom group used malicious archives with alternate data streams for path traversal, achieving persistence through a Windows shortcut in the startup directory.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The payloads included backdoors such as SnipBot, RustyClaw, and Mythic agent.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
-
The Paper Werewolf group likely acquired the exploit from a cybercriminal forum, where it was advertised for $80,000.
First reported: 11.08.2025 08:541 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately — thehackernews.com — 11.08.2025 08:54
Similar Happenings
Command injection flaw in Libraesva ESG exploited by state actors
Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.
Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware
A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.
Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment
Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.
Critical deserialization flaw in DELMIA Apriso MOM actively exploited
A critical deserialization vulnerability in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software (CVE-2025-5086) is actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution (RCE) and has been exploited to deliver the Zapchast malware. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. The flaw is actively exploited via malicious SOAP requests to vulnerable endpoints, loading and executing a Base64-encoded, GZIP-compressed .NET executable embedded in the XML. The malicious requests were observed originating from the IP 156.244.33[.]162, likely associated with automated scans. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by October 2, 2025.