A not too long ago fastened WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing assaults to put in the RomCom malware.
The flaw is a listing traversal vulnerability that was fastened in WinRAR 7.13, which permits specifically crafted archives to extract recordsdata right into a file path chosen by the attacker.
“When extracting a file, earlier variations of WinRAR, Home windows variations of RAR, UnRAR, transportable UnRAR supply code and UnRAR.dll could be tricked into utilizing a path, outlined in a specifically crafted archive, as an alternative of consumer specified path,” reads the WinRAR 7.13 changelog.
“Unix variations of RAR, UnRAR, transportable UnRAR supply code and UnRAR library, additionally as RAR for Android, usually are not affected.”
Utilizing this vulnerability, attackers can create archives that extract executables into autorun paths, such because the Home windows Startup folder situated at:
%APPDATApercentMicrosoftWindowsStart MenuProgramsStartup (Native to consumer)
%ProgramDatapercentMicrosoftWindowsStart MenuProgramsStartUp (Machine-wide)
The following time a consumer logs in, the executable will mechanically run, permitting the attacker to realize distant code execution.
As WinRAR doesn’t embody an auto-update function, it’s strongly suggested that each one customers manually obtain and set up the newest model from win-rar.com so they’re shielded from this vulnerability.
Exploited as a zero-day in assaults
The flaw was found by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, with Strýček telling BleepingComputer that it was actively exploited in phishing assaults to put in malware.
“ESET has noticed spearphishing emails with attachments containing RAR recordsdata,” Strýček informed BleepingComputer.
These archives exploited the CVE-2025-8088 to ship RomCom backdoors. RomCom is a Russia-aligned group.”
RomCom (additionally tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian hacking group linked to ransomware and data-theft extortion assaults, together with campaigns targeted on stealing credentials.
The group is thought for its use of zero-day vulnerabilities in assaults and the usage of customized malware to be used in data-theft assaults, persistence, and to behave as backdoors.
RomCom has beforehand been linked to quite a few ransomware operations, together with Cuba and Industrial Spy.
ESET is engaged on a report relating to the exploitation, which will probably be printed at a later date.
Malware focusing on password shops surged 3X as attackers executed stealthy Excellent Heist eventualities, infiltrating and exploiting important methods.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and methods to defend towards them.
