A dangerous security flaw in WinRAR is wreaking havoc in the wild. Experts say Windows users should be on high alert and do preventive actions ASAP.
Cybersecurity experts are urging immediate updates as attackers have found a way to sneak malware straight into your Windows startup folders, letting their malicious code run automatically every time you reboot.
What Is WinRAR Threat?
Security researchers at ESET have uncovered a nasty path traversal zero-day vulnerability, codenamed CVE 2025 8088. The malware lurks in older versions of WinRAR and allows hackers to disguise poisoned RAR archives. When you extract them, the malware secretly deposit files into critical directories. These Startup folders include:
- %APPDATA%MicrosoftWindowsStart MenuProgramsStartup
- %ProgramData%MicrosoftWindowsStart MenuProgramsStartUp
Once inside, these stealthy executables spring to life with every login, giving hackers a persistent foothold on your system without you even knowing.
Who’s Exploiting It?
The culprit? A Russian-aligned espionage group known as RomCom, also called Storm 0978 or UNC2596.
They’ve been using this flaw in targeted spear phishing campaigns, dropping digital backdoors into victims’ machines and taking control without resistance.
What Has WinRAR Done?
WinRAR pushed out version 7.13 shortly, sealing off this zero-day pathway. The update stops archives from extracting files outside the folders you’ve chosen, shutting the door on this particular exploit. However, since the bug is evolving, there is a chance users will need future updates.
Just weeks earlier, another bug, CVE 2025 6218, was patched in version 7.12 beta. That flaw also allowed silent malware installation from extracted archives.
Why You Need to Act Right Now
WinRAR does not update automatically, so you’ll need to manually grab the latest version before attackers grab you. Windows versions of WinRAR, RAR, UnRAR, and UnRAR.dll are vulnerable, while Unix and Android users can breathe easy… for now.