Overview of the Vulnerability
WinRAR versions 7.12 and earlier contain a high‑severity path‑traversal flaw (CVE‑2025‑8088) that allows attackers to execute arbitrary code when a crafted archive is opened.
How the Exploit Works
The bug abuses the Alternate Data Streams (ADS) feature of NTFS. Malicious archives include ADS entries that, when extracted, write a payload to an arbitrary location via directory traversal, enabling the execution of malware.
Threat Actors Leveraging the Flaw
- RomCom – a Russia‑aligned group, used the vulnerability to deliver the NESTPACKER loader against Ukrainian military targets.
- APT44 and Turla – state‑sponsored groups also targeting Ukrainian forces.
- Carpathian – another actor employing the bug.
- Chinese state‑sponsored groups – reported to drop the POISONIVY malware.
- Financially motivated groups – such as those distributing XWorm and AsyncRAT infostealers.
Impact and Real‑World Attacks
Victims typically open a decoy document (e.g., a PDF) inside the archive. The hidden ADS payload is then extracted and executed, leading to system compromise and data theft.
Mitigation and Recommendations
- Update WinRAR immediately to version 7.13 or newer.
- Verify the integrity of archives before opening them, especially from untrusted sources.
- Consider disabling ADS handling in your security policies.
- Apply the latest Windows updates, including patches for related LNK vulnerabilities.
- Monitor endpoints for indicators of compromise associated with NESTPACKER, POISONIVY, XWorm, and AsyncRAT.
Conclusion
The exploitation of CVE‑2025‑8088 demonstrates how quickly a critical flaw in a ubiquitous tool can be weaponized by both nation‑state and criminal actors. Prompt patching and vigilant handling of archives are essential to protect against these attacks.