Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
First reported
Last updated
Happening score
H score 54
2 unique sources, 3 articles

Summary

Hide ▲

The CVE-2025-8088 WinRAR path traversal flaw is being actively exploited, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abuse Alternate Data Streams (ADS) to hide payloads and drop files into locations such as the Windows Startup folder. The weakness can support initial access and execution of files like LNK, HTA, BAT, CMD, and scripts on user login. Exploitation has been observed since July 18, 2025 and remains ongoing.

Related Happenings

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

WhatsApp-delivered VBS Windows infection campaign

Campaign
First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

Open Happening

Zombie ZIP archive-header evasion technique

Technical Analysis
First: 10.03.2026 22:05 Last: 10.03.2026 22:05 Sources 1

About this happening: **Zombie ZIP** is a new archive-evasion technique that can let payloads slip past **AV and EDR scanning** by abusing ZIP header parsing, making malicious content harder to detect....

Open Happening

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
First: 06.03.2026 08:44 Last: 06.03.2026 08:44 Sources 1

About this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...

Open Happening

Timeline

  1. 27.01.2026 21:38 3 articles · 3mo ago

    CVE-2025-8088 exploitation begins in WinRAR

    Exploitation Observed

    Threat actors begin exploiting CVE-2025-8088 in WinRAR for initial access, using Alternate Data Streams (ADS) and directory traversal to write malicious files to arbitrary locations and set up payload delivery.

    Show sources
    Open in new tab
  2. 27.01.2026 21:38 2 articles · 3mo ago

    GTIG reports ongoing WinRAR exploitation and actor set

    Initial Disclosure

    Google Threat Intelligence Group (GTIG) reports ongoing exploitation of CVE-2025-8088 in WinRAR by state-sponsored and financially motivated actors, including UNC4895 (RomCom/CIGAR), APT44 (FROZENBARENTS), TEMP.Armageddon (CARPATHIAN), Turla (SUMMIT), and China-linked actors, while also noting commodity activity such as XWorm, AsyncRAT, Telegram bot-controlled backdoors, and malicious banking extensions for the Chrome browser; GTIG also cites ESET's early August 2025 discovery of RomCom zero-day activity and says working exploits were being sold by suppliers such as "zeroplayer".

    Show sources
    Open in new tab