A not too long ago mounted Winrar vulnerability tracked as CVE-2025-8088 was exploited as zero day of a phishing assault to put in ROMCOM malware.
The flaw is a listing traversal vulnerability that’s mounted in Winrar 7.13, permitting specifically created archives to extract information to the file path of their attackers’ selection.
“When extracting information, earlier variations of Winrar, RAR, Unrar, Transportable Unrar, and Home windows variations of urrar.dll will trick you with paths outlined in a specifically created archive as an alternative of the user-specified path to learn Winrar 7.13 Changelog.
“As an Android RAR, RAR, Unrar, Transportable Unrar Supply code, and Unix variations of Unrar Library is not going to be affected.”
Utilizing this vulnerability, an attacker can create an archive that extracts executable information and extract them into an Autorun path, reminiscent of a Home windows Startup folder, reminiscent of:
%APPDATApercentMicrosoftWindowsStart MenuProgramsStartup (Native to consumer)
%ProgramDatapercentMicrosoftWindowsStart MenuProgramsStartUp (Machine-wide)The subsequent time the consumer logs in, the executable will likely be robotically executed, permitting the attacker to attain distant code execution.
Since Winrar doesn’t embrace automated updates, we strongly suggest that every one customers manually obtain and set up the most recent model from Win-rar.com to be shielded from this vulnerability.
It was abused as a zero day within the assault
The flaw was found by Esset’s Anton Chelepanov, Peter Kosinar and Peter Slicek, who instructed BleepingComputer that they had been actively exploited in phishing assaults to position the malware.
“ESET noticed a spear phishing electronic mail containing attachments containing RAR information,” Streýček instructed BleepingComputer.
These archives utilized CVE-2025-8088 to offer Romcom backdoors. Romcom is a bunch lined up in Russia. ”
Romcom (additionally tracked by Storm-0978, Tropical Scorpius, or UNC2596, and many others.) is a Russian hacking group associated to ransomware and information terror assaults, a marketing campaign targeted on stealing {qualifications}.
This group is thought for utilizing zero-day vulnerabilities in assaults and utilizing customized malware to behave as data-theft assaults, persistence, and background.
Romcom has beforehand been related to quite a few ransomware companies, together with Cuba and industrial spying.
ESET is engaged on a report on exploitation, which will likely be printed at a later date.
