- WinRAR flaw CVE-2025-8088 exploited by state-sponsored and criminal groups
- Attackers use the ADS feature to deploy malware via malicious archives
- Users are encouraged to update to WinRAR 7.13 or later for protection
Iconic Windows archiver WinRAR contains a high-severity vulnerability that allows threat actors to execute arbitrary code on compromised endpoints — and security researchers now say the flaw is being exploited by numerous hacking collectives, both state-sponsored and otherwise.
The bug in question is described as a path traversal bug that affects version 7.12 and earlier. It is tracked as CVE-2025-8088 and received a severity score of 8.4/10 (high).
To secure your premises and prevent hacker attacks, security experts advise updating the program to version 7.13 or later.
Abused as a zero day
Now, Bleeping Computer says several security outfits warned of several hacking collectives using this flaw in their attacks.
Among them is RomCom, a Russia-aligned group, which used it to deploy NESTPACKER against Ukrainian military units. Other notable mentions include APT44 and Turla (also used against the Ukrainian military), Carpathian and several Chinese state-sponsored actors who allegedly used it to drop the POISONIVY malware.
Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that mostly tracks state-sponsored attackers, said the earliest signs of abuse were seen in mid-July 2025. Since then, hackers used the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices.
“While the user typically sees a decoy document, such as a PDF, in the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data,” Google said.
When the victim opens the archive, the program extracts the ADS payload using directory traversal, it explained.
In addition to nation states, financially motivated groups also exploited this flaw, using it to drop info stealers such as XWorm or AsyncRAT.
WinRAR does not allow automatic updates, but you do not need to uninstall the program before running the new version. It will simply be installed over the existing one.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
