Exploring CVE-2025-8088: How WinRAR became vulnerable to path traversal
On July 18th, 2025, ESET researchers publicly disclosed the CVE-2025-8088 vulnerability.
Although WinRAR’s response was swift with the release of a patch (version 7.13) on July 30, 2025 the window between disclosure and patch availability was long enough for adversaries to weaponize the flaw and conduct successful intrusions.
This campaign explores in depth how CVE-2025-8088 made WinRAR vulnerable to path traversal, allowing arbitrary code execution via malicious archives.
What is WinRAR?
WinRAR is a ubiquitous file-archiving utility used worldwide to compress, package, and exchange files. Its ease of use and deep integration into everyday workflows make it a convenient tool an,d therefore, an attractive target for adversaries seeking to convert routine user actions into an initial access vector.
In mid-2025, a critical zero-day, tracked as CVE-2025-8088, demonstrated how a seemingly innocuous operation extracting an archive can immediately evolve into a full compromise.
Overview of the CVE-2025-8088 vulnerability
Security researchers identified that the Russia-aligned threat actor RomCom (also tracked as Storm-0978) weaponized this path-traversal vulnerability to deliver malicious payloads via specially crafted RAR archives.
By exploiting the flaw, attackers were able to cause arbitrary files to be written to sensitive locations on disk and execute code without additional user interaction beyond extraction.
RomCom used CVE-2025-8088 in highly targeted spear-phishing campaigns against organizations in financial services, manufacturing, defense, and logistics across Europe and Canada, turning ordinary user behavior into a reliable exploitation step in a multi-stage espionage chain.
CVE-2025-8088 attack flow
The CVE-2025-8088 attack chain unfolds methodically:
- Initial entry point: Delivery of spear-phishing emails containing malicious RAR attachments, disguised as legitimate job application documents (CVs).
- Exploitation technique: Abuse of the path traversal bug (CVE-2025-8088) to drop and execute malware during archive extraction.
- Impact: Deployment of backdoor malware such as SnipBot variants, RustyClaw, and the Mythic agent, enabling persistent espionage, data theft, and long-term surveillance of targeted organizations.
What you’ll learn in this spotlight
This month’s campaign highlights two enduring lessons: mundane tools can become powerful attack enablers, and rapid patch adoption together with layered defenses and user awareness, is essential to prevent routine tasks from escalating into full-scale compromise.
Access the full spotlight above to learn:
- The detailed anatomy of the attack chain and exploitation process
- Evasion techniques used by the attackers
- How to defend against WinRAR path traversal and copy-cat techniques