WinRAR Zero-Day Exploit Actively Targeted in Ongoing Attacks

Users urged to update WinRAR version 7.13 to patch a critical vulnerability under active exploitation.

Critical zero-day CVE-2025-8088 patched

A newly discovered zero-day vulnerability in WinRAR, tracked as CVE-2025-8088, has been patched following reports of active exploitation in the wild. The flaw, with a CVSS severity score of 8.8, affects the Windows version of WinRAR and stems from a path traversal bug that enables arbitrary code execution through malicious archive files.

According to WinRAR’s advisory, specially crafted archive paths can override the intended extraction directory, potentially letting attackers write files to sensitive locations on the system. The vulnerability has been resolved in version 7.13, released on July 31. Users running older versions, including 7.12 and earlier, are urged to update immediately.

Exploitation tied to advanced threat group

Although there’s no official confirmation, the signs seem to point toward a sophisticated threat group known as “Paper Werewolf.” The full scope of the malicious campaign remains unclear, but initial evidence suggests the group may have acquired a zero-day exploit offered for sale on a dark web forum by a user named “zeroplayer” for $80,000 in early July.

The attackers reportedly used phishing emails with poisoned RAR archives to target Russian organizations in July. These files exploited CVE-2025-8088 in conjunction with another flaw, CVE-2025-6218, which was patched a month earlier, to plant malware outside the extraction directory. During the attacks, victims were shown decoy documents while payloads silently executed in the background.

A closer look at the exploit

The exploitation stems from the ability to manipulate relative paths within archive files. This allows payloads to bypass extraction safeguards. In an example attack scenario, threat actors could embed alternative data streams, routing extracted files into arbitrary directories, including sensitive system folders on Windows machines, like the Startup directory.

This could result in the execution of malicious code during system login without further user interaction. Identified payloads include a .NET-based loader that exfiltrates system data and retrieves additional malware via a remote command-and-control (C2) server.

Safekeeping your digital integrity

To prevent attacks that exploit the CVE-2025-8088 vulnerability, users should update to the latest WinRAR version.

Using specialized software like Bitdefender Ultimate Security can keep you safe from zero-day exploits, viruses, Trojans, worms, spyware, ransomware, rootkits, and other digital threats.

Its key features include comprehensive, real-time data protection, network threat prevention, behavioral analysis for active apps, email protection, AI-powered scam detection and cryptomining protection.