WinRAR flaw CVE-2025-8088, fixed in v7.13, was exploited as a zero-day in phishing attacks to install RomCom malware.
The WinRAR flaw CVE-2025-8088, a directory traversal bug fixed in version 7.13, was exploited as a zero-day in phishing attacks to deliver RomCom malware, Bleeping Computer first reported.
The flaw is a path traversal vulnerability affecting the Windows version of WinRAR. Attackers can exploit the vulnerability to execute arbitrary code by crafting malicious archive files. Researchers Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET disclosed the flaw.
Attackers can craft archives that place executables in Windows Startup folders, causing them to run at login and enabling remote code execution
ESET researchers told Bleeping Computer that threat actors actively exploited the vulnerability in spear-phishing attacks to deliver RomCom backdoors.
“ESET has observed spearphishing emails with attachments containing RAR files,” Strýček told BleepingComputer.
These archives exploited the CVE-2025-8088 to deliver RomCom backdoors. The threat actor behind RomCom (aka UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596) is suspected to be a Russia-linked cyberespionage group.
RomCom has previously carried out ransomware and data-theft extortion attacks. At the end of 2024, RomCom exploited two Firefox and Tor Browser zero-day vulnerabilities in attacks on users across Europe and North America.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, RomCom)