Full Report
ESET Research discovered a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents; the weaponized archives exploited a path traversal flaw to compromise their targets
Analysis Summary
# Vulnerability: WinRAR Path Traversal via Alternate Data Streams Leading to Arbitrary File Extraction
## CVE Details
- CVE ID: CVE-2025-8088
- CVSS Score: Information Not Explicitly Provided (Assumed High based on exploitation status)
- CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
## Affected Systems
- Products: WinRAR, Windows versions of UnRAR.dll, portable UnRAR source code.
- Versions: WinRAR version 7.12 (and prior versions susceptible to the flaw).
- Configurations: Any deployment utilizing the affected WinRAR components for archive extraction.
## Vulnerability Description
CVE-2025-8088 is a path traversal vulnerability in WinRAR. Attackers exploit this flaw utilizing **Alternate Data Streams (ADSes)** within RAR archives. By crafting an archive containing malicious files associated with relative path elements (`..\`) within these ADSes, when the archive is extracted, WinRAR silently deploys malicious files (such as DLLs and LNK files) to unintended and potentially sensitive locations, like the Windows startup directory, achieving persistence. The presence of dummy ADSes with invalid paths was observed, likely intended to confuse victims viewing the extraction warnings.
## Exploitation
- Status: Exploited in the wild (by Russia-aligned threat group RomCom/Storm-0978).
- Complexity: Low (based on successful real-world exploitation via spearphishing).
- Attack Vector: Network (via malicious archive delivered via spearphishing).
## Impact
Successful exploitation leads to arbitrary code execution (via LNK persistence in startup or DLL loading) in the context of the logged-in user, allowing the deployment of RomCom backdoors (SnipBot variant, RustyClaw, Mythic agent) to facilitate unauthorized access, data collection, and potential financial theft.
- Confidentiality: High (Data collection, credential theft)
- Integrity: High (Installation of unauthorized software/backdoors)
- Availability: Medium (Potential system disruption, though primary goal appears to be espionage/theft)
## Remediation
### Patches
- WinRAR 7.12 is vulnerable.
- The vulnerability was fixed on July 24th, 2025 (Beta) and July 30th, 2025 (Final).
- **Action:** Upgrade immediately to **WinRAR version 7.13** or later.
- Note: Software solutions relying on the public Windows versions of `UnRAR.dll` or its source code must update their dependencies.
### Workarounds
- No specific vendor workarounds were detailed other than immediate patching, but general advice would include:
- Minimizing extraction of unknown or suspicious RAR archives, even if they appear benign.
- Monitoring for suspicious DLLs or LNK files being created in sensitive directories (e.g., %TEMP%, Startup folder) shortly after archive extraction.
## Detection
- **Indicators of Compromise (IOCs):** Deployment of specific backdoors (SnipBot, RustyClaw, Mythic agent).
- **Detection Methods and Tools:**
- Monitor for files being written to the Windows Startup directory or execution of suspicious files (like malicious DLLs) spawned immediately following the opening of a RAR archive.
- Use endpoint detection tools configured to watch for file system changes related to path traversal or unusual file creation patterns in temporary directories referencing nested relative paths (`..\`).
- EDR solutions should focus on post-extraction malicious activity tied to RomCom TTPs (e.g., credential dumping, lateral movement via SSH tunnels).
## References
- ESET Research Article (Implied discovery source)
- Vendor Advisory (WinRAR release of version 7.13)
- NVD entry for CVE-2025-8088
- Comparison with similar vulnerability CVE-2025-6218 (disclosed June 19th, 2025)