A serious security vulnerability has been discovered in WinRAR for Windows, and users should update to the latest version immediately. The vulnerability, tracked as CVE-2025-8088, has been exploited in actual phishing attacks. An attacker could exploit this vulnerability to craft a malicious archive file, placing its contents in unauthorized locations on the victim's system, including Windows folders that automatically execute programs on startup.
Once a malicious file is placed in these folders, it can install malware or open hidden backdoors without any further action from the user.
Normally, WinRAR should only extract files to the user-specified destination folder. However, the vulnerability, which is classified as a path traversal vulnerability, could trick software into placing files in highly sensitive system locations, such as the Windows startup folder for an individual user or for all users on the computer.
Malware placed in these locations automatically runs every time the computer reboots, allowing attackers to continue to control the device. This issue affects Windows versions of WinRAR and related tools, including RAR, UnRAR, Portable UnRAR Source, and UnRAR.dll. Unix or Android versions are not affected.
The vulnerability was discovered by ESET security researchers Anton Cherepanov, Peter Košinár and Peter Strýček. Their investigation revealed that a hacker group known as RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) has actively exploited this vulnerability to conduct spear phishing attacks.
In these attacks, victims receive emails containing infected RAR files. When these malicious files are opened using older versions of WinRAR, they deploy RomCom malware that can steal sensitive information, install additional malware, and provide long-term hidden access to infected systems.
RomCom has been linked to Russian cyberespionage and is known for exploiting undisclosed software vulnerabilities for espionage and ransomware attacks. The malware typically uses encrypted communications and is hidden within legitimate system tools, designed to evade security detection.
To resolve this issue, WinRAR developers released the 7.13 Final version on July 30, 2025. This update prevents archive files from placing content outside of the user-specified extraction location and fixes a few unrelated minor bugs. However, WinRAR does not update automatically – users must manually download and install new versions from the official website.
With over 500 million users worldwide, WinRAR is a key target for cybercriminals. This isn't the first security vulnerability to appear in the software in recent months; another vulnerability involving malicious archive files was also patched back in 2025.
Security experts stress the importance of keeping WinRAR updated. They also recommend being cautious about opening email attachments from unknown senders, using antivirus software that can detect hidden threats in archive files, and regularly checking startup folders for unfamiliar files, as these files are common entry points for malware.