CVE-2025-8088

Published Aug 8, 2025

Last updated 8 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild. It was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. The vulnerability was exploited in phishing attacks to deliver RomCom malware. The attackers can trick the program into saving a file in a different location than the user intended, such as the computer's Startup folder. This allows the attackers to execute their own code. WinRAR patched the vulnerability in version 7.13.

Description
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
Source
security@eset.com
NVD status
Analyzed
Products
winrar, dtsearch

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.4
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
RARLAB WinRAR Path Traversal Vulnerability
Exploit added on
Aug 12, 2025
Exploit action due
Sep 2, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security@eset.com
CWE-35

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

19

  1. 🚨️‍Russia-linked Turla’s STOCKSTAY backdoor shows up by riding on compromised infrastructure to stay hidden for long espionage runs. Block RDP attachments, patch CVE-2025-8088, and watch WebSocket traffic. Read Google GTIG’s in-depth take: https://t.co/oWIaC8FYL6 https

    @Digital_Warfare

    29 Jun 2026

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️ Gamaredon ran 35 phishing campaigns against Ukraine in 2025. ESET says it used new PowerShell tools, HTML smuggling, and CVE-2025-8088 to plant malware in Startup. Simple malware. Harder infrastructure. https://t.co/xeXiPtNcX0

    @ridwanseun12

    29 Jun 2026

    6 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. TRC analysis reveals Gamaredon exploited WinRAR CVE-2025-8088 in 35 campaigns targeting Ukrainian institutions. Attackers used USB/network drive infection for lateral movement across compromised networks. Runtime segmentation helps contain such multi-vector propagation

    @aviatrixtrc

    29 Jun 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️ Gamaredon ran 35 phishing campaigns against Ukraine in 2025. ESET says it used new PowerShell tools, HTML smuggling, and CVE-2025-8088 to plant malware in Startup. Simple malware. Harder infrastructure. Read more ↓ https://t.co/5p6W1K4obe https://t.co/yaaLfAdo16

    @TheHackersNews

    29 Jun 2026

    15520 Impressions

    8 Retweets

    40 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Google has linked Turla to a new .NET backdoor. STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations. It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures. htt

    @ridwanseun12

    27 Jun 2026

    66 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Hackers Exploit WinRAR CVE-2025-8088 to Plant Startup Shortcut and Run PowerShell Loader https://t.co/zpCVSmsYbL

    @ohhara_shiojiri

    27 Jun 2026

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 Google has linked Turla to a new .NET backdoor. STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations. It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures. htt

    @Cybersafe_Qu

    27 Jun 2026

    69 Impressions

    2 Retweets

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 Google has linked Turla to a new .NET backdoor. STOCKSTAY was used in espionage campaigns targeting #Ukraine government and military organizations. It overlaps with Kazuar and reached targets through phishing, RDP files, MSI installers, and #WinRAR CVE-2025-8088 lures. Se

    @TheHackersNews

    26 Jun 2026

    16357 Impressions

    14 Retweets

    40 Likes

    7 Bookmarks

    2 Replies

    2 Quotes

  9. Looks no one noticed it yet, so: in recent weeks, some strange CVE-2025-8088 exploiting archives were seen from different countries. Normally, when a CVE-2025-8088 exploiting archive gets uploaded to VT, there are detections from vendors mentioning the exploiting in some way and

    @malwrhunterteam

    25 Jun 2026

    7176 Impressions

    4 Retweets

    28 Likes

    9 Bookmarks

    1 Reply

    0 Quotes

  10. 'Trading-Strategy.rar' seen from Romania @abuse_ch CVE-2025-8088 exploit. 123a5caad17ea78cc6852176b4acec080ad03661bc587dd651b62694059e6315 https://t.co/Gz52IJVCwG URL's: hxxps://cqintzfep6rw6jc9.public.blob.vercel-storage(.)com/2.bat https://t.co/8ls2dgoVkh

    @smica83

    25 Jun 2026

    357 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 'взвод розвідки.rar' seen from Ukraine @abuse_ch CVE-2025-8088 exploit. 420f1931af9b3f7d02c5edfc78eb69abdad6e71d2c3e9b81f9cbc3823a503654 https://t.co/ZTtLK1hTWV https://t.co/C2xRntr859

    @smica83

    23 Jun 2026

    498 Impressions

    2 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    1 Quote

  12. WinRAR のパス・トラバーサル脆弱性 CVE-2025-8088:ロシア系脅威グループによる悪用が継続 https://t.co/bJnx9nFMpJ 今回の攻撃で悪用された脆弱性 CVE-2025-8088 は、古いバージョンの WinRAR

    @iototsecnews

    22 Jun 2026

    95 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 'Besomar_documentation.rar' seen from Ukraine as a CVE-2025-8088 @abuse_ch Possible UAC-0226 28f58061348a1c54fa6e7ff6618630259618d4afdf78514d5fccfc993797cdff https://t.co/ZgijnSDyRo @500mk500 @goldenjackel12 https://t.co/R9LvmLI4Db

    @smica83

    21 Jun 2026

    429 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  14. WinRAR is used daily across Ukraine, but CVE-2025-8088, a WinRAR flaw patched in July 2025, is still being exploited. TrendAI™ Research tracked two Russia-aligned groups producing new exploit samples for this flaw through April 2026. Read more: https://t.co/E7nF71bTLW https://t

    @trendai_RSRCH

    20 Jun 2026

    393 Impressions

    1 Retweet

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  15. Most enterprise software is managed by system administrators, but WinRAR isn't. With no auto-update and no Group Policy support, CVE-2025-8088 is still fueling attacks on Ukraine nearly a year after patch. Here's what you need to know: https://t.co/E7nF71bTLW https://t.co/SHnwr61

    @trendai_RSRCH

    19 Jun 2026

    258 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  16. WinRAR is used daily across Ukraine, but CVE-2025-8088, a WinRAR flaw patched in July 2025, is still being exploited. TrendAI™ Research tracked two Russia-aligned groups producing new exploit samples for this flaw through April 2026. Read more: https://t.co/srraOdvdMm https:/

    @trendaisecurity

    18 Jun 2026

    485 Impressions

    2 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  17. WinRAR fixed CVE-2025-8088 nearly a year ago. Now it's being actively exploited in the wild. A good reminder that attackers don't care when a patch was released. They care whether it was deployed. 📖 https://t.co/cjU8afBAaQ #PatchManagement #CyberSecurity #ITCommunity

    @PatchMyPC

    17 Jun 2026

    527 Impressions

    2 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  18. '5_13_6-1838_15.06.2026 zip' is a RAR file as a CVE-2025-8088 exploit @abuse_ch https://t.co/bfawl1Rv6d @500mk500 https://t.co/Ixu66JJbOC

    @smica83

    17 Jun 2026

    203 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  19. パッチ公開から約1年が過ぎたWinRARの脆弱性(CVE-2025-8088)が、いまだ複数のロシア系攻撃集団に現役で使われ続けているとする報告が公開されています。WinRARが自動更新にも法人向けの一括更新にも対応せず

    @MalwareBibleJP

    17 Jun 2026

    2395 Impressions

    4 Retweets

    24 Likes

    15 Bookmarks

    0 Replies

    2 Quotes

  20. WinRAR is used daily across Ukraine, but CVE-2025-8088, a WinRAR flaw patched in July 2025, is still being exploited. TrendAI™ Research tracked two Russia-aligned groups producing new exploit samples for this flaw through April 2026. Read more: https://t.co/E7nF71bTLW https://t

    @trendai_RSRCH

    17 Jun 2026

    233 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. ئەم لاوازییە بە CVE-2025-8088 دەناسرێت کە لەساڵی ٢٠٢٥ دا لە بەرنامەی WinRAR دا دۆزرایەوە. تەنانەت دوای ساڵێک لە دەرچوونی ئەپدەیت، هاککەرەکان هێشتا بەردەوامن لە قۆ

    @KRDCERT

    16 Jun 2026

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. Hackers rusos explotan vulnerabilidad en WinRAR CVE-2025-8088 | https://t.co/2KlUsH4NK0

    @beahero_news

    16 Jun 2026

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Russia-aligned groups have long targeted Ukrainian government and military networks. At least five have now exploited CVE-2025-8088, a WinRAR flaw. Credentials stolen from those targets carry downstream risk for allied nations and partners. Read more: https://t.co/E7nF71bTLW http

    @trendai_RSRCH

    16 Jun 2026

    280 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 🔴 WinRAR Flaw Exploited • CVE-2025-8088 abused • Malicious archives used 👉 https://t.co/rBZpvH23Do - Delivers easy-to-deploy protection, advanced security services, and affordable pricing built for SMBs. Read more: https://t.co/j5JYxkAPTv https://t.co/dwwYsGFPHP

    @CyberSuite_com

    15 Jun 2026

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Russian campaigns exploit patched WinRAR flaw (CVE-2025-8088) for data theft against Ukrainian orgs. The lesson: attackers don't need zero-days. They need unpatched systems. Your patch cadence is your defense. #DataStrategy #CyberSecurityIntel #DataLeadership #InfoSec

    @ernesttheaiguy

    15 Jun 2026

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. Russian hackers are exploiting the WinRAR vulnerability CVE-2025-8088 to deploy the GIFTEDCROOK stealer, targeting Ukrainian organizations. This flaw, patched in July 2025, allows attackers to infiltrate systems via malicious RAR archives. Despite the availability of a fix, the h

    @dailytechonx

    15 Jun 2026

    49 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  27. 2025年に修正されたWinRARの脆弱性が、現在もウクライナの組織を標的とした攻撃で悪用されていることが分かった。Trend Microによると、ロシア寄りの複数の脅威グループがCVE-2025-8088を利用した攻撃を2026年4月時

    @yousukezan

    15 Jun 2026

    1796 Impressions

    3 Retweets

    10 Likes

    1 Bookmark

    0 Replies

    1 Quote

  28. Trend Micro reports CVE-2025-8088, a patched WinRAR flaw, is still being exploited by Russia-aligned groups to deliver GIFTEDCROOK and espionage tools against Ukraine. #WinRAR #CVE20258088 #Ukraine #CyberEspionage https://t.co/WRKL9pps9l https://t.co/lV5akIxmt7

    @the_yellow_fall

    15 Jun 2026

    356 Impressions

    3 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  29. Most enterprise software is managed by system administrators, but WinRAR isn't. With no auto-update and no Group Policy support, CVE-2025-8088 is still fueling attacks on Ukraine nearly a year after patch. Here's what you need to know: https://t.co/E7nF71bTLW https://t.co/HJLVZ8A

    @trendai_RSRCH

    14 Jun 2026

    373 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  30. 'Trading.rar' CVE-2025-8088, seen from Ethiopia @abuse_ch https://t.co/luETIHUbUR https://t.co/7XC9WnCW21

    @smica83

    14 Jun 2026

    436 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Earth Dahu (Gamaredon) has targeted Ukraine since 2013. Its CVE-2025-8088 chain drops HTA files to the Startup folder and proxies C&C traffic through Cloudflare Workers, spoofing Ukrainian government URLs via HTTP @-notation. We take a closer look: https://t.co/E7nF71bTLW

    @trendai_RSRCH

    14 Jun 2026

    326 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  32. 📢 WinRAR : une faille critique relancée dans des campagnes malveillantes actives en 2026 (CVE-2025-8088). #zoneantimalware https://t.co/JUu1vIHVhX

    @NicolasCoolman

    12 Jun 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. https://t.co/0NQlN85jbn WinRAR Vulnerability CVE-2025-8088 Remains Actively Exploited — Users Urged to Update Immediately. If you are running WinRAR 7.12 or earlier, you are vulnerable to remote code execution. Update to version 7.13 now via official website....

    @DIYprojects55

    12 Jun 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Russian APTs, including Gamaredon, are still exploiting a year-old WinRAR flaw (CVE-2025-8088) to attack Ukrainian government & military targets. The attacks deliver infostealers and espionage tools. 🇷🇺🇺🇦 #APT #Gamaredon #Ukraine #CyberWarfare 🌐 cyber[.]netsec

    @NetSecIO

    11 Jun 2026

    92 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Top 5 Trending CVEs: 1 - CVE-2025-8088 2 - CVE-2026-49980 3 - CVE-2025-49604 4 - CVE-2026-42897 5 - CVE-2026-8054 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    11 Jun 2026

    85 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 - https://t.co/z3qs1pESkh

    @moton

    11 Jun 2026

    55 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  37. Discover how threat actors weaponize the WinRAR CVE-2025-8088 exploit. Learn about the UAC-0226 and Gamaredon campaigns and how to protect endpoints. #WinRAR #CVE20258088 #CyberEspionage #Gamaredon #InfoSec #EndpointSecurity #TechNews https://t.co/UdKI0BT1P8 https://t.co/MvRy1m3

    @the_yellow_fall

    11 Jun 2026

    255 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Exploitation of patched WinRAR bug CVE-2025-8088 continues by Russian APTs https://t.co/QQfUXczMPM

    @CyberSecuriUS

    11 Jun 2026

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Two Russian-linked APT groups (Earth Dahu and SHADOW-EARTH-066) continue exploiting CVE-2025-8088 in WinRAR to deliver stealthy, one-shot malware via phishing archives, despite a 2025 patch. https://t.co/fq1TR84F9Y

    @Cyber_O51NT

    11 Jun 2026

    1253 Impressions

    8 Retweets

    16 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  40. ロシアのAPT攻撃は、修正済みのWinRARの脆弱性CVE-2025-8088を依然として悪用している Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 #SecurityAffairs (Jun 10) https://t.co/9eHuGc1NMc

    @foxbook

    11 Jun 2026

    204 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  41. #ThreatProtection Patched #WinRAR #vulnerability CVE-2025-8088 a focal point of recent campaigns against Ukrainian targets, read more about Symantec's coverage: https://t.co/6aYRLJNF6u

    @threatintel

    10 Jun 2026

    1083 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  42. Active threats are hitting home, with a patched WinRAR flaw still exploited by APTs and a new Defender zero-day impacting even patched systems. Plus, CISA adds more to KEV. Stay on top of patches. What happened: Russian APTs are still exploiting a WinRAR flaw (CVE-2025-8088)

    @gh0st_V3ctbrv

    10 Jun 2026

    88 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Two Russian 🇷🇺 APT groups still exploiting patched WinRAR CVE-2025-8088 (CVSS 8.4) against Ukrainian 🇺🇦 targets nearly a year after fix. Path traversal flaw enables silent file deployment via NTFS Alternate Data Streams during archive extraction. Technical details:

    @DFIR_Radar

    10 Jun 2026

    98 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  44. 『The vulnerability works because WinRAR remains unpatched on enough endpoints to make the investment worthwhile.』 CVE-2025-8088 Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open https://t.co/KPMzknFCAk

    @autumn_good_35

    10 Jun 2026

    292 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  45. 2025年に修正されたWinRARの脆弱性CVE-2025-8088が、現在もウクライナ組織を標的とした攻撃で利用されていることがTrend Microの調査で明らかになった。ロシア関連の攻撃グループ「Earth Dahu」と「SHADOW-EARTH-066」が新

    @yousukezan

    10 Jun 2026

    1641 Impressions

    5 Retweets

    18 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  46. Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 https://t.co/vJXonvVmwW

    @Dinosn

    10 Jun 2026

    1629 Impressions

    5 Retweets

    25 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  47. Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088 https://t.co/2MVcyGJN9U

    @VivekIntel

    10 Jun 2026

    304 Impressions

    1 Retweet

    9 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  48. Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088: Despite a 2025 patch, Russian-linked groups still exploit a WinRAR flaw (CVE-2025-8088) to deploy malware via phishing archives. CVE-2025-8088 is a path traversal flaw in WinRAR that lets… https://t.co/tG6bCQMDjr

    @shah_sheikh

    10 Jun 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Russian APTs Still Exploiting Patched #WinRAR Flaw CVE-2025-8088 https://t.co/MgnAqFuuZJ #securityaffairs #hacking #Ukraine @TrendMicroHome

    @securityaffairs

    10 Jun 2026

    191 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  50. WinRAR 7.12 writes a payload straight into the Windows Startup folder during extraction. CVE-2025-8088 (CVSS 8.4, CWE-35) is a path traversal in UnRAR.dll that abuses NTFS alternate data streams. The archive bypasses directory restrictions and places a malicious LNK or

    @SecureChap

    9 Jun 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations