Newly Discovered WinRAR Exploit Linked to Russian Hacking Group Can Plant Backdoor Malware - Zero Day Hack Requires Manual Update to Fix
A new vulnerability has been discovered in file archiving software WinRAR, which can potentially install backdoor malware on Windows PCs. The zero-day vulnerability was identified by security researchers at ESET and has been tracked as CVE-2025-8088.
The vulnerability is classified as a directory traversal flaw that allows malicious archives to place files in locations chosen by the attacker. By exploiting it, threat actors can place executable files into autorun directories like the Windows Startup folder, allowing the placed malicious files to execute automatically the next time the system boots.
This provides attackers with a pathway to remote code execution, making it a highly dangerous vulnerability. The exploit was first spotted by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, who observed spearphishing emails with attachments containing RAR files delivering RomCom backdoors.
RomCom is a Russian-linked hacking group known for its involvement in cybercrime and cyber-espionage activities. The group primarily targeted entities in Ukraine, including the government, military, energy, and water infrastructure, before expanding its scope to include organizations and audiences in the U.S., Europe, and internationally connected to Ukraine-related humanitarian efforts.
The vulnerability has been acknowledged and fixed via a new WinRAR update with version 7.13. The release notes explain that extracting a file using previous versions of WinRAR can be tricked into using a path defined in a specially crafted archive instead of the user-specified path. This allows attackers to bypass extraction boundaries and deposit files into unintended locations.
Since WinRAR does not include an auto-update feature, it is recommended to manually update the software. Notably, Unix versions of RAR, Unrar, portable Unrar source code, Unrar library, and Rar for Android are safe from this exploit.
A similar directory traversal flaw was spotted in June, when independent security researcher "whs3-detonator" reported CVE-2025-6218 to Trend Micro's Zero Day Initiative. This vulnerability also stemmed from flawed handling of archive file paths, allowing attackers to bypass extraction boundaries and deposit files into unintended locations.
As with any zero-day exploit, it is essential to take immediate action to protect yourself. Updating WinRAR to the latest version (7.13) can help prevent this vulnerability from being exploited. Make sure to follow the recommended update instructions and keep your software up-to-date to ensure your safety.
Stay Safe with Tom's Hardware
If you're interested in staying up-to-date on the latest security news, reviews, and analysis, follow us on Google News. By following our feeds, you'll get our expert insights and news delivered straight to your inbox.
We also have a dedicated team of technology journalists and reviewers specializing in PC components and peripherals. If you have any questions about building a PC or need advice on choosing the right hardware for your needs, feel free to reach out to us anytime.