WinRAR: Security vulnerability is already under attack

IT security researchers have discovered a vulnerability in the WinRAR packaging program that allows attackers to inject and execute malicious code. The vulnerability is already being attacked on the Internet. An update to plug the leak is available. WinRAR users should install it immediately.

According to the vulnerability entry, this is a so-called “path traversal” vulnerability, which allows access to directories that are not actually accessible. Attackers can use manipulated archive files to provoke the error and thus inject and execute arbitrary code if victims unpack manipulated archives with vulnerable WinRAR versions. The vulnerability was discovered by virus analysts at Eset (CVE-2025-8088 / EUVD-2025-23983, CVSS 8.4, risk “high”).

Details remain unclear

WinRAR does not explain exactly which archive types are affected in the release announcement for version 7.13, which closes the security gap. However, the older versions of RAR, UnRAR, portable UnRAR (source code) and UnRAR.dll are susceptible to the vulnerability. The Unix and Android versions are not impacted.

The bug-fixed versions are available for download on the WinRAR download page. Anyone using WinRAR should update immediately.

Malware distributed

Eset researcher Peter Strýček told Bleepingcomputer that the antivirus company has discovered spearphishing emails with file attachments in RAR format. These have abused the vulnerability to install “RomCom” backdoors. RomCom is a cyber gang linked to Russia, also known as Storm-0978, Tropical Scorpius, or UNC2596. According to the website, it specializes in ransomware, data theft attacks, and credential theft campaigns.

The vulnerability is reminiscent of a vulnerability recently discovered by Trend Micro's Zero Day Initiative (ZDI). WinRAR version 7.12b1 also had to plug a security hole that allowed attackers to specify arbitrary paths and thus inject and execute malicious code.

(dmk)