A critical WinRAR vulnerability, tracked as CVE-2025-8088, was actively exploited as a zero-day in phishing campaigns to deliver the RomCom malware. The flaw, a directory traversal issue, allowed attackers to plant malicious files in system startup folders during archive extraction. WinRAR patched the vulnerability in version 7.13, but systems running older versions remain at risk1.
Technical Breakdown of the Exploit
The attack chain begins with phishing emails containing malicious RAR archives, often disguised as invoices or documents. When victims extract these archives using vulnerable WinRAR versions (prior to 7.13), the directory traversal flaw allows files to be written to unintended locations, such as %APPDATA%\Startup. This technique ensures persistence, as the malware executes upon system reboot2.
Researchers identified a second related vulnerability, CVE-2025-6218, which enables remote code execution (RCE) via crafted archive paths. This flaw was sold on dark web forums for $80,000 before being patched in WinRAR 7.12 beta3. Both vulnerabilities were exploited by the RomCom group (Storm-0978), a Russia-aligned threat actor known for targeting government and critical infrastructure entities.
Mitigation and Detection
Organizations should immediately update to WinRAR 7.13 or later. Additional defensive measures include:
- Disabling automatic archive extraction in email clients
- Monitoring startup folders for suspicious files (e.g.,
*.exe,*.dll) - Implementing application allowlisting to block unauthorized executables
Endpoint detection tools can identify RomCom’s post-exploitation activities, which include credential theft and deployment of EDR-killer tools linked to eight ransomware groups4.
Broader Implications
This incident highlights the risks of legacy software without auto-update mechanisms. WinRAR’s widespread use in enterprise environments makes it a high-value target for APT groups. The RomCom campaign follows a pattern of exploiting archive software vulnerabilities, similar to previous attacks leveraging CVE-2023-38831 in 20235.
Security teams should prioritize patching and review detection rules for archive-related process trees (e.g., winrar.exe spawning cmd.exe). The RomCom group’s tactics suggest continued focus on software with delayed patch cycles, particularly in government and defense sectors.
References
- “CVE-2025-8088 Detail,” NVD, 2025.
- “WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks,” BleepingComputer, 2025.
- “Zero-day RCE vulnerability in WinRAR sold on the dark web,” Quorum Cyber, 2025.
- “New EDR killer tool used by eight different ransomware groups,” BleepingComputer, 2025.
- WinRAR changelog, 2025.
