Cybersecurity researchers at ESET have uncovered the active exploitation of a critical zero-day vulnerability in WinRAR, designated as CVE-2025-8088. This security flaw enabled threat actors to bypass system protections and deploy malicious software through specially crafted archive files before an official patch became available. The vulnerability represents a significant security risk for organizations and individual users worldwide who rely on the popular file compression utility.
Understanding the CVE-2025-8088 Directory Traversal Vulnerability
The discovered security issue belongs to the directory traversal vulnerability class, affecting multiple components within the WinRAR ecosystem. This flaw allowed attackers to manipulate file extraction paths from archives, effectively bypassing user-defined settings and placing executable files in critical system directories without authorization.
According to official statements from the developers, the vulnerability impacted previous versions of WinRAR, Windows-based RAR, UnRAR, portable UnRAR source code, and the UnRAR.dll library. Notably, Unix versions of the software and RAR for Android platforms remained unaffected by this particular attack vector, limiting the scope of vulnerable systems primarily to Windows environments.
Windows Startup Folder Attack Mechanism
The most dangerous aspect of this vulnerability lies in attackers’ ability to place malicious executable files directly into the Windows startup folder. This technique ensures that harmful code executes automatically during the next user login session, providing hackers with remote code execution capabilities on compromised devices without requiring additional user interaction.
This attack methodology demonstrates sophisticated threat actor capabilities, as it eliminates the need for further social engineering or user engagement beyond the initial archive extraction. The persistence mechanism ensures long-term system compromise and potential data exfiltration opportunities.
RomCom Threat Group Profile and Attribution
The primary threat actor exploiting CVE-2025-8088 has been identified as the RomCom hacking group, operating under various aliases including Storm-0978, Tropical Scorpius, and UNC2596. This well-organized cybercriminal organization specializes in targeted attacks against enterprise environments across multiple industry sectors.
During recent campaign activities, the group distributed several malware variants, including modified versions of SnipBot, RustyClaw, and Mythic. Primary targets included financial institutions, manufacturing companies, defense contractors, and logistics organizations throughout Canada and European nations, indicating a strategic focus on critical infrastructure and high-value corporate assets.
RomCom’s Operational History and Tactics
The RomCom group maintains an extensive history of cybercriminal activities, encompassing ransomware operations, corporate data theft for ransom purposes, and large-scale credential compromise campaigns. The organization’s hallmark characteristics include systematic utilization of zero-day vulnerabilities and development of proprietary malicious software tools.
Additional Threat Actor Exploitation Activities
ESET’s investigation revealed that CVE-2025-8088 was independently exploited by additional threat actors beyond the RomCom group. Russian cybersecurity firm BI.ZONE discovered alternative attack campaigns utilizing the same vulnerability, with the second wave of exploitation beginning several days after initial RomCom activities were detected.
This parallel exploitation pattern suggests the vulnerability details may have been shared among different threat actor communities or independently discovered through reverse engineering efforts, amplifying the overall risk exposure for unpatched systems.
Essential Security Recommendations and Mitigation Strategies
Organizations and individual users must immediately update WinRAR to version 7.13 or later, which was released in late July with patches addressing this critical vulnerability. Security teams should prioritize this update across all Windows-based systems utilizing WinRAR or related components.
Additional protective measures include implementing startup folder monitoring solutions, establishing file execution policies that restrict code execution from temporary directories, and deploying endpoint detection and response (EDR) tools capable of identifying suspicious archive extraction activities.
This incident underscores the critical importance of maintaining current software versions and implementing comprehensive defense-in-depth security strategies. The sophisticated use of zero-day exploits by organized threat groups highlights the evolving cyberthreat landscape, requiring security professionals to maintain constant vigilance and develop rapid response capabilities for emerging attack vectors targeting widely-used software applications.
