The Winrar File Archive Utility maintainer has released an update to address the actively exploited zero-day vulnerability.
Tracked as CVE-2025-8088 (CVSS score: 8.8), this issue is described as a case of past traversal affecting the Windows version of tools that can be exploited to create malicious archive files and obtain arbitrary code execution.
“When extracting files, previous versions of Winrar, RAR, Unrar, Portable Unrar, and Windows versions of dll.dll will trick you using paths defined in a specially created archive instead of the specified path,” Winrar said in its advisory.
Anton Cherepanov, Peter Kosinar, and Peter Strycek of ESET have been admitted for discovering and reporting security flaws addressed in Winrar version 7.13, released on July 31, 2025.
Currently, we don’t know how vulnerabilities are weaponized in real-world attacks. In 2023, another vulnerability affecting WINRAR (CVE-2023-38831, CVSS score: 7.8) was subjected to intense exploitation, including zero-days, by multiple threat actors in China and Russia.
Russian cybersecurity vendor Bi.Zone said in a report released last week there were indications that the hacking group tracked as Paper Werewolf (aka Goffee) may have revered alongside CVE-2025-6218 along with CVE-2025-8088, along with CVE-2025-6218, the window version of the window version of CVE-2025-6218.
Before these attacks, it is important to note that the ads were discovered on July 7, 2025 by threat actors identified as “Zeroplayer.” It is suspected that the paper werewolf actor acquired it and used it in the attack.
“In previous versions of Winrar, as well as portable Unrar source code for rar, urrar, urrar.dll, and Windows, you can use specially written archives containing arbitrary code during extraction to manipulate file paths during extraction.”
“To exploit this vulnerability, user interaction is required and files could be written outside the intended directory. This flaw could be exploited to place files in sensitive locations, such as Windows startup folders.
Attacks per Bi.zone targeted Russian organizations in July 2025, triggering CVE-2025-6218 at launch, triggering CVE-2025-80888, writing files outside the target directory, achieving code execution, but the Dicoy document is presented as a victim.
“The vulnerability relates to the fact that when you create a RAR archive, you can include files containing alternate data streams. The name contains relative paths.” “These streams can contain any payload. If you unpack such an archive, or open attachments directly from the archive, the data from the alternate stream will be written to any directory on disk. This is a directory traversal attack.”
“The vulnerability affects Winrar versions up to 7.12. Starting with version 7.13, this vulnerability is no longer reproduced.”
One of the malicious payloads in question is a .NET loader designed to send system information to an external server and receive additional malware containing encrypted .NET assemblies.
“Paper Werewolf uses a C# loader to retrieve the victim’s computer name and send it to the link to the server with the generated link to get the payload,” the company added. “Paper Werewolf uses reverse shell sockets to communicate with the control server.”
Source link
