In a recent report, Google’s Threat Intelligence Group (GTIG) revealed that the critical WinRAR vulnerability, CVE-2025-8088, is still actively being exploited by several threat actors, including nation-state groups and financially motivated hackers. Despite being patched in July 2025, the flaw continues to pose significant risks as attackers exploit it across various operations.
What is the WinRAR Vulnerability CVE-2025-8088?
The flaw, identified as CVE-2025-8088, is a path traversal issue that allows malicious files to be dropped into the Windows Startup folder. This method provides persistence, enabling the malware to execute automatically whenever the user logs in after a system restart. The flaw was patched with WinRAR version 7.13 on July 30, 2025, but the exploitation of this vulnerability remains widespread.
Threat Actors Behind the Exploitation
Google’s GTIG noted that various threat groups are exploiting this vulnerability. Nation-state actors linked to Russia and China, as well as financially motivated groups, have utilized the flaw to carry out cyberattacks. Among the groups involved, the RomCom (CIGAR or UNC4895) group has been observed delivering the SnipBot malware. Additionally, Russian actors like Sandworm, Gamaredon, and Turla have also leveraged the flaw for espionage and cyberattacks on Ukrainian targets.
Financially driven threat actors are deploying commodity remote access Trojans (RATs) like AsyncRAT and XWorm to target commercial organizations. These actors often deliver malware that creates backdoors and facilitates further exploitation.
How the Exploitation Works
Exploitation typically involves embedding a malicious Windows shortcut (LNK) inside the archive’s alternate data stream (ADS), making the malware difficult to detect. When a user opens the malicious archive, the payload is extracted and placed in the Windows Startup folder, where it executes automatically.
The Growing Threat of N-Day Vulnerabilities
The continued exploitation of CVE-2025-8088 highlights the dangers of so-called N-day vulnerabilities, which persist after they are publicly disclosed and patched. The underground economy surrounding these exploits has led to their commoditization, with attackers purchasing ready-to-use exploits for thousands of dollars. This has enabled less technically skilled actors to exploit the flaw with minimal resources.
What Users and Organizations Can Do
To protect against the ongoing risks posed by CVE-2025-8088, users and organizations should ensure they are running the latest version of WinRAR, which includes the patch. Additionally, they should be vigilant about the files they open and consider using enhanced security measures such as endpoint protection and file integrity monitoring to detect suspicious activity.
The Threat Is Far from Over
The ongoing exploitation of the WinRAR vulnerability underscores the critical importance of timely patching and proactive security practices. While WinRAR has issued a fix, the widespread exploitation by various threat actors serves as a reminder of the risks posed by unpatched vulnerabilities.
