- WinRAR CVE-2025-8088 exploited by criminal and state-sponsored groups
- Attackers use ADS functionality to deploy malware via malicious archives
- Users are advised to update to WinRAR 7.13 or newer to protect themselves
The iconic Windows archiver program WinRAR contains a high-severity vulnerability that allows malicious actors to execute arbitrary code on compromised endpoints – and security researchers now say the bug is being exploited by numerous hacking collectives, both state-sponsored and otherwise.
The bug in question is described as a path traversal flaw, affecting versions 7.12 and earlier. It is tracked as CVE-2025-8088 and received a severity score of 8.4/10 (high).
To secure your premises and prevent hacker incursions, security professionals advise updating the program to version 7.13 or newer.
Abused like day zero
NOW, BeepComputer said that several security services were warning of numerous hacker collectives using this flaw in their attacks.
Among them is RomCom, a Russian-aligned group, which used it to deploy NESTPACKER against Ukrainian military units. Other notable mentions include APT44 and Turla (also used against the Ukrainian military), Carpathian, and several Chinese state-sponsored actors who allegedly used it to remove POISONIVY malware.
Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that primarily tracks state-sponsored attackers, said the first signs of abuse were seen in mid-July 2025. Since then, hackers have been using WinRAR’s Alternate Data Streams (ADS) feature to write malware to arbitrary locations on target devices.
“Although the user typically views a decoy document, such as a PDF, in the archive, there are also malicious ADS entries, some containing a hidden payload while others are fake data,” Google said.
When the victim opens the archive, the program extracts the ADS payload using directory traversal, it was explained.
Besides nation states, financially motivated groups were also exploiting this bug, using it to take down information thieves such as XWorm or AsyncRAT.
WinRAR does not allow automatic updates, but you do not need to uninstall the program before running the new version. It will simply be installed on top of the existing one.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
