Path Traversal Vulnerability in WinRAR Exploited by Multiple Threat Actors
Summary
Hide β²
Show βΌ
A zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, has been actively exploited by multiple threat actors. The flaw, a path traversal issue, allows arbitrary code execution via specially crafted archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, and UnRAR.dll, as well as the portable UnRAR source code. The flaw was discovered by ESET researchers and patched in WinRAR version 7.13. The exploit has been used by the Paper Werewolf and RomCom groups, targeting various sectors including finance, manufacturing, defense, and logistics. The vulnerability was advertised on the dark web forum Exploit.in before being exploited in the wild. The attacks involved phishing emails with malicious archives, leading to code execution and persistence mechanisms.
Timeline
-
11.08.2025 08:54 π° 1 articles Β· β± 1mo ago
WinRAR Path Traversal Vulnerability Exploited by Multiple Threat Actors
A zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, has been actively exploited by multiple threat actors. The flaw, a path traversal issue, allows arbitrary code execution via specially crafted archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, and UnRAR.dll, as well as the portable UnRAR source code. The flaw was discovered by ESET researchers and patched in WinRAR version 7.13. The exploit has been used by the Paper Werewolf and RomCom groups, targeting various sectors including finance, manufacturing, defense, and logistics. The vulnerability was advertised on the dark web forum Exploit.in before being exploited in the wild. The attacks involved phishing emails with malicious archives, leading to code execution and persistence mechanisms.
Show sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
Information Snippets
-
CVE-2025-8088 is a path traversal vulnerability in WinRAR with a CVSS score of 8.8.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The vulnerability allows arbitrary code execution via specially crafted archive files.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The flaw affects Windows versions of WinRAR, RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek discovered the vulnerability.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The vulnerability was patched in WinRAR version 7.13, released on July 30, 2025.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The Paper Werewolf group exploited the vulnerability alongside CVE-2025-6218, a directory traversal bug.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The RomCom group exploited the vulnerability as a zero-day on July 18, 2025.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The exploit was advertised on the dark web forum Exploit.in for $80,000.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The attacks involved phishing emails with malicious archives, leading to code execution and persistence mechanisms.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The vulnerability affects WinRAR versions up to and including 7.12.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The flaw allows writing files to arbitrary directories on the disk, facilitating code execution.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The RomCom group targeted financial, manufacturing, defense, and logistics companies in Europe and Canada.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The attacks leveraged malicious archives with alternate data streams for path traversal.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The payloads included a .NET loader, SnipBot variant, RustyClaw, and Mythic agent.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The 7-Zip tool also patched a related arbitrary file write bug (CVE-2025-55188) in version 25.01.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
Similar Happenings
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.
Active exploitation of CVE-2025-5086 in DELMIA Apriso
CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.
Cursor AI editor autoruns malicious code in repositories
A flaw in the Cursor AI code editor allows malicious repositories to execute arbitrary code automatically when opened. This vulnerability can lead to malware installation, environment hijacking, and credential theft. Cursor, an AI-powered IDE based on Visual Studio Code, disables the Workspace Trust feature by default, allowing this behavior. The flaw affects one million users who generate over a billion lines of code daily. Cursor developers have decided not to fix the issue, citing the need to maintain AI and other features. The vulnerability is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding and reasoning agents, which can embed malicious instructions to perform harmful actions or leak data.
Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days
Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.
Critical SessionReaper flaw in Adobe Commerce and Magento Open Source patched
Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. The flaw could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The vulnerability was disclosed to selected customers on September 4, 2025, with a patch released on September 9, 2025. Adobe Commerce on Cloud users were protected by a WAF rule until the patch was available. The flaw is considered one of the most severe in the history of the platform, potentially leading to session forging, privilege escalation, and code execution. No exploitation in the wild has been reported, but a hotfix was leaked, which could accelerate exploitation attempts. The vulnerability impacts various versions of Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Custom Attributes Serializable module. Adobe has also patched a critical path traversal vulnerability in ColdFusion (CVE-2025-54261).