Full Report
Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads. "Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated
Analysis Summary
# Vulnerability: Active Exploitation of WinRAR Path Traversal Flaw
## CVE Details
- CVE ID: CVE-2025-8088
- CVSS Score: 8.8 (Critical)
- CWE: Path Traversal (Inferred from description regarding dropping files into system folders)
## Affected Systems
- Products: RARLAB WinRAR
- Versions: Prior to 7.13
- Configurations: Any system running vulnerable versions where users interact with malicious archive files.
## Vulnerability Description
CVE-2025-8088 is a critical path traversal vulnerability found in RARLAB WinRAR. Maliciously crafted archive files can exploit this flaw to drop arbitrary files, specifically targeting the Windows Startup folder. This path traversal mechanism allows the attacker to achieve persistence on the compromised system by ensuring the payload executes automatically upon user login after a system restart. Successful exploitation can lead to arbitrary code execution.
## Exploitation
- Status: Exploited in the wild (Reported as an "n-day" vulnerability actively exploited by nation-state groups and financially motivated actors since at least July 18, 2025).
- Complexity: Medium (Requires user interaction to open the malicious archive, but the extraction process itself is automated).
- Attack Vector: Network (Delivery via malicious archive).
## Impact
- Confidentiality: High (Implied, as exploited payloads include RATs and information stealers).
- Integrity: High (Arbitrary code execution and system persistence).
- Availability: Medium (Implied, depending on the deployed malware payload).
## Remediation
### Patches
- WinRAR version 7.13 (Released July 30, 2025) and later versions contain the fix.
### Workarounds
- Users should exercise extreme caution when opening RAR archives received from untrusted sources or unexpected locations.
- Temporarily disable auto-run features associated with the Windows Startup folder until mitigation can be fully verified.
## Detection
- **Indicators of Compromise (IOCs):** Look for unauthorized files (e.g., LNK files, batch scripts, HTA files) being created or extracted into the Windows Startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`).
- **Attack Patterns:** Investigation should focus on processes launched from the Startup folder shortly after the extraction of a RAR archive. Pay attention to threat actors deploying malware like SnipBot, AsyncRAT, XWorm, or Poison Ivy associated with archive file processing.
- **Detection Methods and Tools:** Monitor file system activities for unusual write operations targeting system persistence locations by processes handling archive decompression (like WinRAR).
## References
- Vendor Advisory: Patched in WinRAR 7.13 (July 30, 2025).
- Google Threat Intelligence Group (GTIG) Advisory.
- ESET preliminary discovery report (observed as zero-day exploitation via RomCom starting July 18, 2025).