The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability.
Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files.
“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of a specified path,” WinRAR said in an advisory.
Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET have been credited for discovering and reporting the security defect, which has been addressed in WinRAR version 7.13 released on July 31, 2025.
It’s currently not known how the vulnerability is being weaponized in real-world attacks, and by whom. In 2023, another vulnerability affecting WinRAR (CVE-2023-38831, CVSS score: 7.8) came under heavy exploitation, including as a zero-day, by multiple threat actors from China and Russia.
Russian cybersecurity vendor BI.ZONE, in a report published last week, said there are indications that the hacking group tracked as Paper Werewolf (aka GOFFEE) may have leveraged CVE-2025-8088 alongside CVE-2025-6218, a directory traversal bug in the Windows version of WinRAR that was patched in June 2025.
It’s important to note that prior to these attacks, a threat actor identified as “zeroplayer” was spotted advertising on July 7, 2025, an alleged WinRAR zero-day exploit on the Russian-language dark web forum Exploit.in for a price tag of $80,000. It’s suspected that the Paper Werewolf actors may have acquired it and used it for their attacks.
“In previous versions of WinRAR, as well as RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code for Windows, a specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction,” WinRAR said in an alert for CVE-2025-6218 at the time.
“User interaction is required to exploit this vulnerability, which could cause files to be written outside the intended directory. This flaw could be exploited to place files in sensitive locations – such as the Windows Startup folder – potentially leading to unintended code execution on the next system login.”
The attacks, per BI.ZONE, targeted Russian organizations in July 2025 via phishing emails bearing booby-trapped archives that, when launched, triggered CVE-2025-6218 and likely CVE-2025-8088 to write files outside the target directory and achieve code execution, while a decoy document is presented to the victim as a distraction.
“The vulnerability is related to the fact that when creating a RAR archive, you can include a file with alternative data streams, the names of which contain relative paths,” BI.ZONE said. “These streams can contain arbitrary payload. When unpacking such an archive or opening an attached file directly from the archive, data from the alternative streams is written to arbitrary directories on the disk, which is a directory traversal attack.”
“The vulnerability affects WinRAR versions up to and including 7.12. Starting with version 7.13, this vulnerability is no longer reproduced.”
One of the malicious payloads in question is a .NET loader that’s designed to send system information to an external server and receive additional malware, including an encrypted .NET assembly.
“Paper Werewolf uses the C# loader to get the victim’s computer name and send it in the generated link to the server to get the payload,” the company added. “Paper Werewolf uses sockets in the reverse shell to communicate with the control server.”
