WinRAR Vulnerability: CVE-2025-8088

What it is, who’s exploiting it, and how to mitigate (now)

TL;DR: CVE‑2025‑8088 is a path‑traversal flaw in WinRAR for Windows that lets a malicious RAR drop files outside the chosen extraction folder (e.g., into Startup) and execute on next logon. It’s being exploited now. Patch to WinRAR 7.13 immediately; if patching lags, block WinRAR/UnRAR via AppLocker/WDAC or a short‑lived IFEO rule. Add detections for WinRAR writing to autorun locations and the PSFactoryBuffer COM hijack.

At‑a‑glance

• Affects inventory endpoints running WinRAR ≤ 7.12.

• Patch to WinRAR 7.13 across Windows hosts.

• Add a temporary block on WinRAR/UnRAR where updates aren’t complete (AppLocker/WDAC; IFEO only as a short‑term last resort).

• Quarantine RAR attachments for high‑risk users.

• Monitor for new autorun LNKs and suspicious DLLs in temp after extractions.

• Hunt for the PSFactoryBuffer COM hijack artifact on user profiles.

Executive summary

• Vulnerability: Directory/path traversal in WinRAR for Windows enables files to be written outside the intended extraction directory; attackers use this to plant .LNK launchers and payload DLL/EXE in privileged locations (e.g., Startup).

• Impact: Code runs on next user logon (persistence), enabling backdoors and further payload staging. Observed malware families include SnipBot variant, RustyClaw, and Mythic agent.

• Exploitation: In the wild by RomCom since mid‑July 2025; another actor (reported as “Paper Werewolf”) also leveraged the bug. Lures commonly pose as job applications delivered as RAR archives.

• Fix: Patched in WinRAR 7.13 (released July 30, 2025). WinRAR does not auto‑update—manual action required.

• Prioritization: Added to CISA KEV on Aug 12, 2025—treat as an emergency update.

Affected scope

• Products: WinRAR (Windows) including command‑line tools (rar.exe/unrar.exe) and software using UnRAR.dll (Windows builds or projects compiled from the portable UnRAR source). Versions ≤ 7.12 are vulnerable.

• Not affected in this campaign: Non‑Windows variants noted by researchers (e.g., Unix/Android builds) were not implicated in the exploit chains described.

How the exploit works (at a glance)

1. A weaponized .rar appears to contain a single benign file (often a résumé).

2. Hidden alternate data streams (ADSes) and traversal elements (..\) are abused so that, on extraction, WinRAR writes:

   • a payload (e.g., msedge.dll) into %TEMP%, and

   • a .LNK into Startup (autorun), achieving persistence on next logon.

3. Some archives include decoy ADS entries to create visible extraction errors that bury the truly suspicious paths.

4. Post‑extraction, the .LNK chains to COM hijack and loaders, ultimately launching backdoors (observed chains include COM hijack of PSFactoryBuffer, ApbxHelper.exe/SnipBot variant, and Complaint.exe/RustyClaw).

Key registry artifact (COM hijack):

HKCU\SOFTWARE\Classes\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32 → %TEMP%\msedge.dll

Known threat activity

• RomCom (aka Storm‑0978 / Tropical Scorpius / UNC2596) used CVE‑2025‑8088 in spear‑phish campaigns (July 18–21, 2025) targeting finance, manufacturing, defense, and logistics orgs in Europe/Canada. Delivered payloads include SnipBot variant, RustyClaw, and Mythic agent.

• Paper Werewolf reportedly exploited the bug against Russian orgs a few days after RomCom’s activity began.

Mitigation & hardening (practical playbook)

1) Patch fast (primary control)

• Update to WinRAR 7.13 (published July 30, 2025). WinRAR doesn’t auto‑update—download and install manually. Validate winrar.exe file version post‑install.

PowerShell quick check

$path = "${env:ProgramFiles}\WinRAR\winrar.exe"
if (Test-Path $path) { (Get-Item $path).VersionInfo.FileVersion } else { "WinRAR not found in Program Files." }

2) Short‑term containment if patching lags (enterprises)

The SRP + IFEO approach can neutralize WinRAR/UnRAR even if users try to bypass standard controls. Use these as temporary measures on at‑risk hosts while you roll out 7.13.

• Software Restriction Policies (SRP) / AppLocker / WDAC

  • Block execution of winrar.exe, rar.exe, unrar.exe via hash or publisher rules (prefer over broad path rules).

  • Alternatively, allow only approved archivers, and deny WinRAR binaries organization‑wide until patched.

• IFEO (Image File Execution Options) “Debugger” block (emergency only)

  • Create IFEO keys for winrar.exe, rar.exe, unrar.exe with Debugger pointing to a harmless stub (e.g., %SystemRoot%\System32\svchost.exe /?) so invocation fails.

  • Caution: IFEO can be abused and may have side effects—log/document carefully, scope narrowly; remove when patching completes.

• Email/Content filtering

  • Temporarily quarantine or strip RAR attachments from external senders in high‑risk business units.

  • Tag or block messages containing the job‑application lure patterns seen in this campaign.

• File association hygiene

  • Remove .rar → WinRAR associations on unpatched machines (open with a safer tool or disallow extraction entirely until patched).

3) Prevent persistence abuse

• Deny standard users write access to autorun folders (Startup) where business requirements allow.

• Monitor and alert on writes into:

  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk

  • %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\*.lnk

Detection & threat hunting

Focus on extraction‑time and persistence signals:

1. File system writes by WinRAR/UnRAR to autorun paths

   • Telemetry to collect: Sysmon Event ID 11 (FileCreate) with process winrar.exe/unrar.exe and target in \Startup\*.lnk.

2. Suspicious DLLs in %TEMP% followed by autorun .LNK creation.

   • Hunt for msedge.dll (per reported samples) or unexpected DLLs in %TEMP% within minutes of a WinRAR process start.

3. COM hijack for PSFactoryBuffer

   • Registry writes to HKCU:\Software\Classes\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32 pointing to a non‑Microsoft DLL in user profile/temp.

4. Process Lineage

   • .lnk launched from Startup spawning unusual binaries in %LOCALAPPDATA% (e.g., ApbxHelper.exe, Complaint.exe) soon after user logon.

Basic PowerShell triage (autorun LNKs modified recently)

$paths = @(
"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
"$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
)
Get-ChildItem $paths -Filter *.lnk -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
Select-Object FullName,Length,LastWriteTime

Check the suspicious COM hijack key

Get-ItemProperty -Path "HKCU:\Software\Classes\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32" -ErrorAction SilentlyContinue

IoCs: Integrate the public IoC set for this campaign into EDR blocklists and retro‑hunts (hashes, filenames, domains, and infrastructure).

Governance, risk & compliance notes

• KEV‑listed: Federal programs should follow CISA KEV deadlines for remediation. Track completion of 7.13 deployment and validate with version checks.

• Vulnerability metadata & scoring: CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8 High). Treat phishing controls and attachment handling as part of the control set.

FAQ

• Is 7‑Zip affected?

  • No evidence from advisories indicates that 7‑Zip is affected by this bug; the vulnerability and patch come from RARLAB/WinRAR.

• We can’t patch this week—what’s the safest stopgap?

  • Block WinRAR/UnRAR execution via AppLocker/WDAC (publisher/hash rules) and—only if you must—layer an IFEO debugger block. Pair with RAR attachment controls, monitor autorun folder writes, and remove .rar associations. Remove all stopgaps once 7.13 is deployed.

• Where can I read authoritative technical details?

  • See the references below for the vendor release, primary research, KEV entry, and scanner/plugin coverage.

Bottom line

This is a high‑impact, actively exploited flaw with straightforward phishing delivery. Patch to WinRAR 7.13 across Windows endpoints now, monitor for autorun‑path writes and COM‑hijack keys, and—if patching takes time—apply SRP/AppLocker/WDAC controls (and optional IFEO blocks) to defang WinRAR until your estate is updated.

###

References

1. ESET WeLiveSecurity — Update WinRAR tools now: RomCom and others exploiting zero‑day vulnerability (Aug 11, 2025). https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

2. RARLAB / WinRAR — WinRAR 7.13 Final released (Release date: Jul 30, 2025; notes updated Aug 12, 2025). https://www.win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=283

3. RARLAB / WinRAR — Latest news (index listing showing 7.13 release). https://www.win-rar.com/latestnews.html

4. RARLAB — What’s new in WinRAR 7.13 (advisory noting fix for directory traversal). https://www.win-rar.com/whatsnew.html

5. CISA — CISA adds CVE‑2025‑8088 to KEV Catalog (Aug 12, 2025). https://www.cisa.gov/news-events/alerts/2025/08/12/cisa-adds-three-known-exploited-vulnerabilities-catalog

6. CISA — Known Exploited Vulnerabilities Catalog entry: CVE‑2025‑8088. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

7. NVD (NIST) — CVE‑2025‑8088 (CVSS v3.1 8.8; details and timeline). https://nvd.nist.gov/vuln/detail/CVE-2025-8088

8. CVE.org — CVE Record: CVE‑2025‑8088. https://www.cve.org/CVERecord?id=CVE-2025-8088

9. Tenable / Nessus — RARLAB WinRAR < 7.13 Directory Traversal (CVE‑2025‑8088), Plugin 248462. https://www.tenable.com/plugins/nessus/248462

10. Help Net Security — WinRAR zero‑day was exploited by two threat actors (Paper Werewolf in addition to RomCom) (Aug 12, 2025). https://www.helpnetsecurity.com/2025/08/12/winrar-zero-day-cve-2025-8088-attacks/

11. Vicarius / vSociety — CVE‑2025‑8088: Mitigate WinRAR Zero‑Day using SRP & IFEO (includes PowerShell script & explainer). https://www.vicarius.io/vsociety/posts/cve-2025-8088-mitigate-winrar-zero-day-using-srp-and-ifeo