A critical zero-day vulnerability has been identified in the widely-used file compression tool WinRAR, exploited by the Russia-aligned threat group RomCom. This flaw, discovered on July 18, 2025, and now known as CVE-2025-8088, involves a path traversal vulnerability that uses alternate data streams to conceal and deploy malicious files during archive extraction. This allows attackers to surreptitiously install backdoors without user awareness.
ESET researchers have reported that this marks at least the third time RomCom has weaponized such vulnerabilities. The flaw affects WinRAR versions up to 7.12, including components like UnRAR.dll. It enables attackers to craft archives with manipulated directory structures, allowing the placement of executable files in sensitive directories, potentially leading to privilege escalation and persistence on affected systems.
The RomCom group, also known as Storm-0978, has a history of combining cybercrime with espionage. In their latest campaign, from July 18 to 21, 2025, they targeted companies in sectors such as finance and defense across Europe and Canada through spearphishing emails disguised as job applications. Malicious RAR files, appearing as innocuous documents, were used to bypass user-specified extraction paths, enabling malware deployment and command and control communications.
Users are strongly advised to update to WinRAR version 7.13 or later to mitigate risks. The patch addresses the directory traversal flaw and differs from previous vulnerabilities. While Unix versions of RAR and related software remain unaffected, Windows users should scan compressed files with updated security solutions and restrict archive privileges to reduce attack surfaces.
