A huge and unnoticed security flaw has been identified in WinRAR -July 18, 2025, a file compression and archive software. The company has recently patched the fault. This defect created an opportunity for Russian hackers to install malicious software in the victim’s device. Security specialists have notified users to update WinRAR to the latest version manually.
Key Takeaways
- A security flaw was detected in WinRAR on July 18, 2025, an unknown zero-day vulnerability.
- Hackers like RomComs hid malicious files during extraction.
- This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
What Security Flaw has been identified in WinRAR?
The company identified the vulnerability as CVE-2025-8088, which is a “directory traversal” issue within WinRAR. Using this defect, attackers could create a compressed file. When a user opens this file, it will force the program to save the file in a location other than the selected one. It also allows the malicious file to enter critical system folders, such as the Windows Startup directory.
This defect was present in the earlier versions of WinRAR and linked programs, including Windows versions of RAR, UnRAR, and UnRAR.dll. The WinRAR flaw CVE-2025-8088 was fixed in version 7.13.
The flaw was identified by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. ESET is a software company specializing in cybersecurity in Slovakia. The team detected this fault when they observed spearphishing emails with attachments containing RAR files.
The attackers would create archives in autorun paths, such as:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (Local to user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (Machine-wide)
WinRAR: Risk of Remote Code Execution
Through this defect, attackers could place any malicious file that will automatically run on this system when the user logs in to their computer. The attacker will have complete control over the system, which enables ‘remote mode execution’. It is dangerous, as attackers can steal personal information, install encryption trojans, and use the device to attack and infect other systems.
RomCom Russian Hackers Exploit the Defect
The WinRAR’s CVE-2025-8088 vulnerability has been exploited by Russia’s popular and notorious group RomCom. The group is known by other names like UNC2596, Tropical Scorpius, and Storm-0978. Cyber specialists found that the team was partially exploiting this vulnerability. The group is known for finding and using software flaws that have yet to be discovered by software developers.
ESET also added that apart from RomCom, another group has begun exploiting CVE‑2025‑8088 a few days after. This group emerged in 2022 and initially targeted various government entities in Ukraine, such as the military, energy, and water. In 2024, RomCom carried out two Firefox and Tor Browser zero-day vulnerability attacks on various users in Europe and North America.
Notification to manually update WinRAR
The WinRAR trialware file archiver software cannot automatically update itself. So, users need to update this software on their personal computers manually. Security specialists have advised users to download the latest version of WinRAR from the official website.
Note that Unix versions of RAR and UnRAR, including Android versions, are not affected by the vulnerability.
The security risks are only for Windows users. The new version of WinRAR (ver 7.13) can be downloaded from the website. The team fixed the flow and released the version on July 30, 2025.
Also Read: Battlefield 6 Open Beta Is Live Now: Is the New Game Gaining Popularity?
Final Thoughts
The attack on WinRAR has definitely alerted many cybersecurity specialists. Zero-day attacks create concerns among developers, and it has also raised concerns among users. The new version is said to end the malicious attacks. The developers have urged users to download the version manually and replace the older one.