Patch Now: New WinRAR Flaw Used to Deliver Malware

Security researchers have discovered a new flaw in WinRAR that was recently exploited to spread malware through phishing emails. 

The flaw, CVE-2025-8088, can be harnessed through maliciously crafted archive files, according to BleepingComputer, which first reported on the vulnerability. 

Normally, WinRAR is supposed to extract files from an archive to the user’s specified path. But through the flaw, it looks like a booby-trapped file can extract the data to a hacker-selected path, creating a way to execute rogue computer code on a victim’s machine, including Windows PCs running WinRAR.

Three researchers at antivirus provider ESET discovered the vulnerability. Although details are thin, the company told PCMag it’s “observed spearphishing emails with attachments containing RAR files. These archives exploited the CVE-2025-8088 to deliver RomCom backdoors. RomCom is a Russia-aligned group.” Past versions of RomCom malware can steal sensitive data and install other malicious payloads.

The good news is that WinRAR patched the vulnerability last week with version 7.13 Final. Unfortunately, the popular file-archiving tool doesn’t feature an auto-update mechanism. So it’ll be up to users to manually download and install the new version to receive protection, otherwise they’ll remain at risk. 

In the release notes, WinRAR said the problem affects “previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll.” However, Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, and RAR for Android, are not affected.

As a free archive utility, WinRAR has attracted over 500 million users. In June, WinRAR also patched a separate flaw that could be exploited through booby-trapped archive files as well.

OpenAI Debuts GPT-5 Model During OpenAI’s Summer Update Event

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Michael Kan

Senior Reporter

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael’s full bio

Read the latest from Michael Kan