A just lately fastened WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing assaults to put in the RomCom malware.
The flaw is a listing traversal vulnerability that was fastened in WinRAR 7.13, which permits specifically crafted archives to extract information right into a file path chosen by the attacker.
“When extracting a file, earlier variations of WinRAR, Home windows variations of RAR, UnRAR, moveable UnRAR supply code and UnRAR.dll will be tricked into utilizing a path, outlined in a specifically crafted archive, as a substitute of consumer specified path,” reads the WinRAR 7.13 changelog.
“Unix variations of RAR, UnRAR, moveable UnRAR supply code and UnRAR library, additionally as RAR for Android, are usually not affected.”
Utilizing this vulnerability, attackers can create archives that extract executables into autorun paths, such because the Home windows Startup folder situated at:
%APPDATApercentMicrosoftWindowsStart MenuProgramsStartup (Native to consumer)
%ProgramDatapercentMicrosoftWindowsStart MenuProgramsStartUp (Machine-wide)
The subsequent time a consumer logs in, the executable will robotically run, permitting the attacker to attain distant code execution.
As WinRAR doesn’t embody an auto-update function, it’s strongly suggested that every one customers manually obtain and set up the most recent model from win-rar.com so they’re shielded from this vulnerability.
Exploited as a zero-day in assaults
The flaw was found by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, with Strýček telling BleepingComputer that it was actively exploited in phishing assaults to put in malware.
“ESET has noticed spearphishing emails with attachments containing RAR information,” Strýček instructed BleepingComputer.
These archives exploited the CVE-2025-8088 to ship RomCom backdoors. RomCom is a Russia-aligned group.”
RomCom (additionally tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian hacking group linked to ransomware and data-theft extortion assaults, together with campaigns targeted on stealing credentials.
The group is understood for its use of zero-day vulnerabilities in assaults and the usage of customized malware to be used in data-theft assaults, persistence, and to behave as backdoors.
RomCom has beforehand been linked to quite a few ransomware operations, together with Cuba and Industrial Spy.
ESET is engaged on a report concerning the exploitation, which might be printed at a later date.
Malware concentrating on password shops surged 3X as attackers executed stealthy Good Heist situations, infiltrating and exploiting crucial programs.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and easy methods to defend in opposition to them.
