Cive-2025–8088 recently a fixed Winrar vulnerability was tracked, exploited as zero-day in phishing attacks to install romomom malware.
The defect is a directory traversal vulnerability that was fixed in Winrar 7.13, which allows the specially designed archives to remove files in the file path chosen by the attacker.
“When removing a file, the previous version of the Winrar, the Windows version of the RAR, the Unarar, the portable UNRR Source Code and the UNRAR.DLL can be cheated in using a path, which is defined in a specially prepared collection, instead of the specified path,” Winner 7.13 Changelog,
“RAR, Unarar, portable Unarar Source Code and Unix version of Unarar Library, are also not affected as RAR for Android.”
Using this vulnerability, attackers can create archives that take out the executable in the autorun paths, such as located on the Windows Startup Folder:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (Local to user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (Machine-wide)
The next time a user log in, the executable will run automatically, allowing the attacker to obtain distance code execution.
As Winrar does not include an auto-update feature, it is strongly advised that all users manually download and install the latest version Win-Rar.com So they are safe from this vulnerability.
In attacks, exploited as a zero-day
The defect was discovered by acet by Anton Cherapanov, Peter Coinar, and Peter Strassic, in which Strakes told BlappingCoper that it was actively exploited in fishing attacks to install malware.
“ESET has seen Spearfishing email with attachments with RAR files,” Strike told BlappingCopper.
These archives exploited CVE-2025-8088 to give ROMCOMCOM backdages. Romomom is a Russian-federal group. ,
ROMCOM (also tracked as Storm -0978, Tropical Scorpion, or UnC2596) is a Russian hacking group connected to ransomware and data -chori extortion attacks, as well as focuses on stealing credentials.
The group is known for using zero-day weaknesses in attacks and the use of custom malware to act as data-chori attacks, perseverance, and backdoor.
Romomom has previously been linked to several ransomware operations including Cuba and Industrial Steps.
ESET is working on a report about exploitation, which will be published at a later date.
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
