WinRAR Zero-Day Exploited in Phishing Attacks (CVE-2025-8088)
A critical directory traversal zero-day in WinRAR (CVE-2025-8088) is now being weaponized via phishing emails to deploy RomCom malware silently. Immediate action is required to patch and monitor systems—usually the easiest way into an endpoint is a downloaded file, not a web exploit.
What's Happening
Continue Reading
A new zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, is being actively exploited. This directory traversal flaw allows threat actors to craft malicious RAR archives that place and execute files within the Windows Startup folder– enabling persistent Remote Code Execution (RCE) upon user login. Deployments of the RomCom malware via phishing attachments have already been observed.
About the Threat
- CVE-2025-8088 is a path traversal vulnerability that attackers exploit by embedding files within specially crafted archives.
- These archives, when opened, drop the payload into startup locations, ensuring the malicious code runs automatically.
- The malware observed–RomCom–is linked to advanced espionage activity, including ransomware and data theft campaigns, primarily targeting users across Europe and North America.
ThreatGrid Takeaways
| Action Priority | Recommendation |
|---|---|
| High | Update to WinRAR v7.13 (or newer) immediately—this patch removes the directory traversal flaw. |
| Medium | Block or sandbox RAR attachments in email systems; operate on them in hardened environments. |
| High | Monitor user systems for unexpected executables in Startup folders, especially after archive downloads. |
| Low | Educate users about verifying RAR sources and encourage cautious opening of compressed files. |
