There's something about the WinRAR stacked-book logo that makes me all nostalgic, giving me a proper case of the warm fuzzies deep inside. What turns those fuzzies into ouchies, however, is the idea of a zero-day vulnerability in my beloved file compression and extraction tool.
ESET Research first identified the exploit, now classified under the name CVE-2025-8088, back in July, and published a full breakdown of its findings yesterday. The vulnerability is believed to be in active use by a Russia-aligned hacking group working under the alias RomCom, and is "being exploited in the wild in the guise of job application documents."
The issue has since been fixed in the most recent WinRAR 7.13 release. According to the changelog: "When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path."
For those of us who struggle to understand the mechanisms behind these attacks (I'm with you, this stuff is often complicated), Bleeping Computer has a good breakdown. Essentially, an infected archive, once delivered to a host machine, can extract executables into Windows autorun paths—including the Startup folder.
When a user next logs in, the executable will run and remotely execute malicious code. ESET says that it has observed infected archives being used in spear phishing campaigns, all of which involved the emailing of a CV in .rar format to potential victims.
According to ESET's telemetry, none of the affected targets under its watch were actively compromised, but still, it's scary stuff. Ukrainian authorities have previously reported that Russian hackers were wiping data from government computers with a separate WinRAR exploit, although at the time the attack was attributed to the infamous Sandworm hacking group, not RomCom.
"By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations," says ESET.
"This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks. The discovered campaign targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation."
So, if you've got an older copy of WinRAR on your machine, it's probably best to give it an update. Better safe than sorry, ey?
