AI description
CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild. It was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. The vulnerability was exploited in phishing attacks to deliver RomCom malware. The attackers can trick the program into saving a file in a different location than the user intended, such as the computer's Startup folder. This allows the attackers to execute their own code. WinRAR patched the vulnerability in version 7.13.
- Description
- A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
- Source
- security@eset.com
- NVD status
- Analyzed
- Products
- winrar, dtsearch
CVSS 4.0
- Type
- Secondary
- Base score
- 8.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- RARLAB WinRAR Path Traversal Vulnerability
- Exploit added on
- Aug 12, 2025
- Exploit action due
- Sep 2, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- security@eset.com
- CWE-35
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
19
🚨️Russia-linked Turla’s STOCKSTAY backdoor shows up by riding on compromised infrastructure to stay hidden for long espionage runs. Block RDP attachments, patch CVE-2025-8088, and watch WebSocket traffic. Read Google GTIG’s in-depth take: https://t.co/oWIaC8FYL6 https
@Digital_Warfare
29 Jun 2026
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Gamaredon ran 35 phishing campaigns against Ukraine in 2025. ESET says it used new PowerShell tools, HTML smuggling, and CVE-2025-8088 to plant malware in Startup. Simple malware. Harder infrastructure. https://t.co/xeXiPtNcX0
@ridwanseun12
29 Jun 2026
6 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
TRC analysis reveals Gamaredon exploited WinRAR CVE-2025-8088 in 35 campaigns targeting Ukrainian institutions. Attackers used USB/network drive infection for lateral movement across compromised networks. Runtime segmentation helps contain such multi-vector propagation
@aviatrixtrc
29 Jun 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Gamaredon ran 35 phishing campaigns against Ukraine in 2025. ESET says it used new PowerShell tools, HTML smuggling, and CVE-2025-8088 to plant malware in Startup. Simple malware. Harder infrastructure. Read more ↓ https://t.co/5p6W1K4obe https://t.co/yaaLfAdo16
@TheHackersNews
29 Jun 2026
15520 Impressions
8 Retweets
40 Likes
5 Bookmarks
0 Replies
0 Quotes
🚨 Google has linked Turla to a new .NET backdoor. STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations. It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures. htt
@ridwanseun12
27 Jun 2026
66 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hackers Exploit WinRAR CVE-2025-8088 to Plant Startup Shortcut and Run PowerShell Loader https://t.co/zpCVSmsYbL
@ohhara_shiojiri
27 Jun 2026
62 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Google has linked Turla to a new .NET backdoor. STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations. It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures. htt
@Cybersafe_Qu
27 Jun 2026
69 Impressions
2 Retweets
3 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 Google has linked Turla to a new .NET backdoor. STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations. It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures. Se
@TheHackersNews
26 Jun 2026
16357 Impressions
14 Retweets
40 Likes
7 Bookmarks
2 Replies
2 Quotes
Looks no one noticed it yet, so: in recent weeks, some strange CVE-2025-8088 exploiting archives were seen from different countries. Normally, when a CVE-2025-8088 exploiting archive gets uploaded to VT, there are detections from vendors mentioning the exploiting in some way and
@malwrhunterteam
25 Jun 2026
7176 Impressions
4 Retweets
28 Likes
9 Bookmarks
1 Reply
0 Quotes
'Trading-Strategy.rar' seen from Romania @abuse_ch CVE-2025-8088 exploit. 123a5caad17ea78cc6852176b4acec080ad03661bc587dd651b62694059e6315 https://t.co/Gz52IJVCwG URL's: hxxps://cqintzfep6rw6jc9.public.blob.vercel-storage(.)com/2.bat https://t.co/8ls2dgoVkh
@smica83
25 Jun 2026
357 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
'взвод розвідки.rar' seen from Ukraine @abuse_ch CVE-2025-8088 exploit. 420f1931af9b3f7d02c5edfc78eb69abdad6e71d2c3e9b81f9cbc3823a503654 https://t.co/ZTtLK1hTWV https://t.co/C2xRntr859
@smica83
23 Jun 2026
498 Impressions
2 Retweets
2 Likes
1 Bookmark
0 Replies
1 Quote
WinRAR のパス・トラバーサル脆弱性 CVE-2025-8088:ロシア系脅威グループによる悪用が継続 https://t.co/bJnx9nFMpJ 今回の攻撃で悪用された脆弱性 CVE-2025-8088 は、古いバージョンの WinRAR
@iototsecnews
22 Jun 2026
95 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
'Besomar_documentation.rar' seen from Ukraine as a CVE-2025-8088 @abuse_ch Possible UAC-0226 28f58061348a1c54fa6e7ff6618630259618d4afdf78514d5fccfc993797cdff https://t.co/ZgijnSDyRo @500mk500 @goldenjackel12 https://t.co/R9LvmLI4Db
@smica83
21 Jun 2026
429 Impressions
1 Retweet
2 Likes
1 Bookmark
0 Replies
0 Quotes
WinRAR is used daily across Ukraine, but CVE-2025-8088, a WinRAR flaw patched in July 2025, is still being exploited. TrendAI™ Research tracked two Russia-aligned groups producing new exploit samples for this flaw through April 2026. Read more: https://t.co/E7nF71bTLW https://t
@trendai_RSRCH
20 Jun 2026
393 Impressions
1 Retweet
3 Likes
2 Bookmarks
0 Replies
0 Quotes
Most enterprise software is managed by system administrators, but WinRAR isn't. With no auto-update and no Group Policy support, CVE-2025-8088 is still fueling attacks on Ukraine nearly a year after patch. Here's what you need to know: https://t.co/E7nF71bTLW https://t.co/SHnwr61
@trendai_RSRCH
19 Jun 2026
258 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
WinRAR is used daily across Ukraine, but CVE-2025-8088, a WinRAR flaw patched in July 2025, is still being exploited. TrendAI™ Research tracked two Russia-aligned groups producing new exploit samples for this flaw through April 2026. Read more: https://t.co/srraOdvdMm https:/
@trendaisecurity
18 Jun 2026
485 Impressions
2 Retweets
4 Likes
1 Bookmark
0 Replies
0 Quotes
WinRAR fixed CVE-2025-8088 nearly a year ago. Now it's being actively exploited in the wild. A good reminder that attackers don't care when a patch was released. They care whether it was deployed. 📖 https://t.co/cjU8afBAaQ #PatchManagement #CyberSecurity #ITCommunity
@PatchMyPC
17 Jun 2026
527 Impressions
2 Retweets
5 Likes
1 Bookmark
0 Replies
0 Quotes
'5_13_6-1838_15.06.2026 zip' is a RAR file as a CVE-2025-8088 exploit @abuse_ch https://t.co/bfawl1Rv6d @500mk500 https://t.co/Ixu66JJbOC
@smica83
17 Jun 2026
203 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
パッチ公開から約1年が過ぎたWinRARの脆弱性(CVE-2025-8088)が、いまだ複数のロシア系攻撃集団に現役で使われ続けているとする報告が公開されています。WinRARが自動更新にも法人向けの一括更新にも対応せず
@MalwareBibleJP
17 Jun 2026
2395 Impressions
4 Retweets
24 Likes
15 Bookmarks
0 Replies
2 Quotes
WinRAR is used daily across Ukraine, but CVE-2025-8088, a WinRAR flaw patched in July 2025, is still being exploited. TrendAI™ Research tracked two Russia-aligned groups producing new exploit samples for this flaw through April 2026. Read more: https://t.co/E7nF71bTLW https://t
@trendai_RSRCH
17 Jun 2026
233 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ئەم لاوازییە بە CVE-2025-8088 دەناسرێت کە لەساڵی ٢٠٢٥ دا لە بەرنامەی WinRAR دا دۆزرایەوە. تەنانەت دوای ساڵێک لە دەرچوونی ئەپدەیت، هاککەرەکان هێشتا بەردەوامن لە قۆ
@KRDCERT
16 Jun 2026
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Hackers rusos explotan vulnerabilidad en WinRAR CVE-2025-8088 | https://t.co/2KlUsH4NK0
@beahero_news
16 Jun 2026
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Russia-aligned groups have long targeted Ukrainian government and military networks. At least five have now exploited CVE-2025-8088, a WinRAR flaw. Credentials stolen from those targets carry downstream risk for allied nations and partners. Read more: https://t.co/E7nF71bTLW http
@trendai_RSRCH
16 Jun 2026
280 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🔴 WinRAR Flaw Exploited • CVE-2025-8088 abused • Malicious archives used 👉 https://t.co/rBZpvH23Do - Delivers easy-to-deploy protection, advanced security services, and affordable pricing built for SMBs. Read more: https://t.co/j5JYxkAPTv https://t.co/dwwYsGFPHP
@CyberSuite_com
15 Jun 2026
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Russian campaigns exploit patched WinRAR flaw (CVE-2025-8088) for data theft against Ukrainian orgs. The lesson: attackers don't need zero-days. They need unpatched systems. Your patch cadence is your defense. #DataStrategy #CyberSecurityIntel #DataLeadership #InfoSec
@ernesttheaiguy
15 Jun 2026
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Russian hackers are exploiting the WinRAR vulnerability CVE-2025-8088 to deploy the GIFTEDCROOK stealer, targeting Ukrainian organizations. This flaw, patched in July 2025, allows attackers to infiltrate systems via malicious RAR archives. Despite the availability of a fix, the h
@dailytechonx
15 Jun 2026
49 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
2025年に修正されたWinRARの脆弱性が、現在もウクライナの組織を標的とした攻撃で悪用されていることが分かった。Trend Microによると、ロシア寄りの複数の脅威グループがCVE-2025-8088を利用した攻撃を2026年4月時
@yousukezan
15 Jun 2026
1796 Impressions
3 Retweets
10 Likes
1 Bookmark
0 Replies
1 Quote
Trend Micro reports CVE-2025-8088, a patched WinRAR flaw, is still being exploited by Russia-aligned groups to deliver GIFTEDCROOK and espionage tools against Ukraine. #WinRAR #CVE20258088 #Ukraine #CyberEspionage https://t.co/WRKL9pps9l https://t.co/lV5akIxmt7
@the_yellow_fall
15 Jun 2026
356 Impressions
3 Retweets
4 Likes
1 Bookmark
0 Replies
0 Quotes
Most enterprise software is managed by system administrators, but WinRAR isn't. With no auto-update and no Group Policy support, CVE-2025-8088 is still fueling attacks on Ukraine nearly a year after patch. Here's what you need to know: https://t.co/E7nF71bTLW https://t.co/HJLVZ8A
@trendai_RSRCH
14 Jun 2026
373 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
'Trading.rar' CVE-2025-8088, seen from Ethiopia @abuse_ch https://t.co/luETIHUbUR https://t.co/7XC9WnCW21
@smica83
14 Jun 2026
436 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Earth Dahu (Gamaredon) has targeted Ukraine since 2013. Its CVE-2025-8088 chain drops HTA files to the Startup folder and proxies C&C traffic through Cloudflare Workers, spoofing Ukrainian government URLs via HTTP @-notation. We take a closer look: https://t.co/E7nF71bTLW
@trendai_RSRCH
14 Jun 2026
326 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
📢 WinRAR : une faille critique relancée dans des campagnes malveillantes actives en 2026 (CVE-2025-8088). #zoneantimalware https://t.co/JUu1vIHVhX
@NicolasCoolman
12 Jun 2026
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
https://t.co/0NQlN85jbn WinRAR Vulnerability CVE-2025-8088 Remains Actively Exploited — Users Urged to Update Immediately. If you are running WinRAR 7.12 or earlier, you are vulnerable to remote code execution. Update to version 7.13 now via official website....
@DIYprojects55
12 Jun 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Russian APTs, including Gamaredon, are still exploiting a year-old WinRAR flaw (CVE-2025-8088) to attack Ukrainian government & military targets. The attacks deliver infostealers and espionage tools. 🇷🇺🇺🇦 #APT #Gamaredon #Ukraine #CyberWarfare 🌐 cyber[.]netsec
@NetSecIO
11 Jun 2026
92 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-8088 2 - CVE-2026-49980 3 - CVE-2025-49604 4 - CVE-2026-42897 5 - CVE-2026-8054 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
11 Jun 2026
85 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 - https://t.co/z3qs1pESkh
@moton
11 Jun 2026
55 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Discover how threat actors weaponize the WinRAR CVE-2025-8088 exploit. Learn about the UAC-0226 and Gamaredon campaigns and how to protect endpoints. #WinRAR #CVE20258088 #CyberEspionage #Gamaredon #InfoSec #EndpointSecurity #TechNews https://t.co/UdKI0BT1P8 https://t.co/MvRy1m3
@the_yellow_fall
11 Jun 2026
255 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Exploitation of patched WinRAR bug CVE-2025-8088 continues by Russian APTs https://t.co/QQfUXczMPM
@CyberSecuriUS
11 Jun 2026
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Two Russian-linked APT groups (Earth Dahu and SHADOW-EARTH-066) continue exploiting CVE-2025-8088 in WinRAR to deliver stealthy, one-shot malware via phishing archives, despite a 2025 patch. https://t.co/fq1TR84F9Y
@Cyber_O51NT
11 Jun 2026
1253 Impressions
8 Retweets
16 Likes
7 Bookmarks
0 Replies
0 Quotes
ロシアのAPT攻撃は、修正済みのWinRARの脆弱性CVE-2025-8088を依然として悪用している Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 #SecurityAffairs (Jun 10) https://t.co/9eHuGc1NMc
@foxbook
11 Jun 2026
204 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#ThreatProtection Patched #WinRAR #vulnerability CVE-2025-8088 a focal point of recent campaigns against Ukrainian targets, read more about Symantec's coverage: https://t.co/6aYRLJNF6u
@threatintel
10 Jun 2026
1083 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Active threats are hitting home, with a patched WinRAR flaw still exploited by APTs and a new Defender zero-day impacting even patched systems. Plus, CISA adds more to KEV. Stay on top of patches. What happened: Russian APTs are still exploiting a WinRAR flaw (CVE-2025-8088)
@gh0st_V3ctbrv
10 Jun 2026
88 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Two Russian 🇷🇺 APT groups still exploiting patched WinRAR CVE-2025-8088 (CVSS 8.4) against Ukrainian 🇺🇦 targets nearly a year after fix. Path traversal flaw enables silent file deployment via NTFS Alternate Data Streams during archive extraction. Technical details:
@DFIR_Radar
10 Jun 2026
98 Impressions
0 Retweets
0 Likes
1 Bookmark
1 Reply
0 Quotes
『The vulnerability works because WinRAR remains unpatched on enough endpoints to make the investment worthwhile.』 CVE-2025-8088 Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open https://t.co/KPMzknFCAk
@autumn_good_35
10 Jun 2026
292 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
2025年に修正されたWinRARの脆弱性CVE-2025-8088が、現在もウクライナ組織を標的とした攻撃で利用されていることがTrend Microの調査で明らかになった。ロシア関連の攻撃グループ「Earth Dahu」と「SHADOW-EARTH-066」が新
@yousukezan
10 Jun 2026
1641 Impressions
5 Retweets
18 Likes
5 Bookmarks
0 Replies
0 Quotes
Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 https://t.co/vJXonvVmwW
@Dinosn
10 Jun 2026
1629 Impressions
5 Retweets
25 Likes
11 Bookmarks
0 Replies
0 Quotes
Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 https://t.co/2MVcyGJN9U
@VivekIntel
10 Jun 2026
304 Impressions
1 Retweet
9 Likes
1 Bookmark
0 Replies
0 Quotes
Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088: Despite a 2025 patch, Russian-linked groups still exploit a WinRAR flaw (CVE-2025-8088) to deploy malware via phishing archives. CVE-2025-8088 is a path traversal flaw in WinRAR that lets… https://t.co/tG6bCQMDjr
@shah_sheikh
10 Jun 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Russian APTs Still Exploiting Patched #WinRAR Flaw CVE-2025-8088 https://t.co/MgnAqFuuZJ #securityaffairs #hacking #Ukraine @TrendMicroHome
@securityaffairs
10 Jun 2026
191 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
WinRAR 7.12 writes a payload straight into the Windows Startup folder during extraction. CVE-2025-8088 (CVSS 8.4, CWE-35) is a path traversal in UnRAR.dll that abuses NTFS alternate data streams. The archive bypasses directory restrictions and places a malicious LNK or
@SecureChap
9 Jun 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8DD81E1-8FF3-4597-A2EA-C71D3856103E",
"versionEndExcluding": "7.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dtsearch:dtsearch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3658938E-7249-4ADE-8DCF-7B69A80D9221",
"versionEndExcluding": "2023.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
]