The vulnerability allows malicious RAR files to be placed in Windows.
Researchers from ESET have discovered a zero-day vulnerability in WinRAR that is actively being exploited by the Russia-linked hacker group RomCom. It concerns CVE-2025-8088, a directory traversal vulnerability that allows files to be placed in locations other than those specified by the user.
Automatic Startup on Reboot
The vulnerability allows attackers to place executable files in Windows’ startup folders, such as:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (per user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (system-wide)
These files are automatically executed upon the next reboot, enabling remote code execution. ESET reported to BleepingComputer that RomCom is distributing malicious RAR files through targeted phishing campaigns.
Recently, a vulnerability was discovered where WINRAR was used to bypass Windows notifications, such as the warning that a dangerous file has been downloaded.
Update Required
The flaw is fixed in WinRAR 7.13, but since the software does not support automatic updates, users must update manually. The Android and source code versions of RAR/UnRAR are not vulnerable.
RomCom, also known as Storm-0978 or Void Rabisu, initially targeted Ukrainian government and infrastructure targets but has since developed a broader international profile.
read also