Path traversal vulnerability in WinRAR exploited in the wild
Summary
Hide β²
Show βΌ
A zero-day vulnerability in WinRAR (CVE-2025-8088) is actively exploited in the wild. The flaw allows arbitrary code execution through malicious archive files. The vulnerability affects multiple versions of WinRAR and related tools. The flaw was discovered by ESET researchers and patched in WinRAR version 7.13. The issue has been exploited by multiple threat actors, including Paper Werewolf and RomCom, targeting various sectors in Russia, Europe, and Canada. The vulnerability allows attackers to manipulate file paths during extraction, leading to unintended code execution. The exploitation involves phishing emails with malicious archives that trigger the vulnerability to achieve code execution.
Timeline
-
11.08.2025 08:54 π° 1 articles
WinRAR zero-day (CVE-2025-8088) actively exploited by multiple threat actors
A zero-day vulnerability in WinRAR (CVE-2025-8088) has been actively exploited in the wild. The flaw allows arbitrary code execution through malicious archive files. The vulnerability affects multiple versions of WinRAR and related tools. The flaw was discovered by ESET researchers and patched in WinRAR version 7.13. The issue has been exploited by multiple threat actors, including Paper Werewolf and RomCom, targeting various sectors in Russia, Europe, and Canada. The exploitation involves phishing emails with malicious archives that trigger the path traversal vulnerability to achieve code execution.
Show sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
Information Snippets
-
CVE-2025-8088 is a path traversal vulnerability in WinRAR with a CVSS score of 8.8.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The flaw allows arbitrary code execution by crafting malicious archive files.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The vulnerability affects WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll for Windows.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek discovered the flaw.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The vulnerability was patched in WinRAR version 7.13, released on July 30, 2025.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
Paper Werewolf (GOFFEE) and RomCom have exploited the vulnerability in targeted attacks.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The attacks involved phishing emails with malicious archives that exploit the path traversal flaw.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The exploitation allows attackers to write files outside the intended directory, achieving code execution.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The attacks targeted Russian organizations in July 2025 and various sectors in Europe and Canada.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The malicious payloads include a .NET loader and various backdoors such as SnipBot, RustyClaw, and Mythic agent.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The flaw affects WinRAR versions up to and including 7.12.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
-
The vulnerability was also exploited by RomCom in a campaign targeting financial, manufacturing, defense, and logistics companies.
First reported: 11.08.2025 08:54π° 1 source, 1 articleShow sources
- WinRAR Zero-Day Under Active Exploitation β Update to Latest Version Immediately β thehackernews.com β 11.08.2025 08:54
Similar Happenings
HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344
A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.
CVE-2025-5086 in DELMIA Apriso Exploited in the Wild
A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.
Cursor AI editor autoruns malicious code in repositories
A flaw in the Cursor AI editor allows malicious code in repositories to autorun on developer devices. This vulnerability can lead to malware execution, environment hijacking, and credential theft. The issue arises from Cursor disabling the Workspace Trust feature from VS Code, which prevents automatic task execution without explicit user consent. The flaw affects one million users who generate over a billion lines of code daily. The Cursor team has decided not to fix the issue, citing the need to maintain AI and other features. They recommend users enable Workspace Trust manually or use basic text editors for unknown projects. The flaw is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding tools.
Critical SessionReaper vulnerability patched in Adobe Commerce and Magento Open Source
Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. This flaw, with a CVSS score of 9.1, could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Adobe Commerce on Cloud customers were already protected by a WAF rule deployed as an interim measure. The vulnerability is considered one of the most severe in the platform's history, with potential for widespread exploitation. Administrators are advised to apply the patch immediately, as it disables certain internal Magento functionalities that may affect custom or external code. The affected versions include Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier. The affected versions also include Adobe Commerce B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. The affected versions include Magento Open Source 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, and 2.4.5-p14 and earlier. The Custom Attributes Serializable module versions 0.1.0 to 0.4.0 are also affected.
Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957
A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.