A critical zero-day vulnerability in the popular file compression tool WinRAR has been under active exploitation for weeks by at least two distinct threat groups, according to cybersecurity researchers. The flaw, tracked as CVE-2025-8088, is a high-severity path traversal vulnerability that could allow attackers to achieve remote code execution by tricking a user into opening a specially crafted archive. The vulnerability affects WinRAR versions up to 7.12.
Security firm ESET, which first reported the issue, discovered that a Russia-aligned cyberespionage group known as RomCom (also called Storm-0978) was using the exploit in highly targeted spearphishing campaigns. These attacks, which began as early as July 18, targeted organizations in the financial, manufacturing, defense, and logistics sectors in Europe and Canada. Attackers disguised malicious RAR files as job applications, and when opened, the exploit would drop various backdoors onto the victim’s system, including SnipBot and Mythic Agent. ESET stated that the campaign’s geopolitical focus aligns with RomCom’s typical motivations.
Simultaneously, a second, separate threat actor named Paper Werewolf was also observed leveraging the same vulnerability. According to Russian cybersecurity firm BI.ZONE, this group used the exploit in phishing emails directed at Russian organizations in July. It is suspected that both groups may have acquired the exploit from a dark web forum, where an alleged WinRAR zero-day was advertised for sale for $80,000.
The vulnerability works by exploiting how WinRAR processes “alternate data streams” within an archive file. An attacker could embed a malicious payload in an alternate data stream and use path traversal sequences to force WinRAR to extract the payload to a sensitive system location, like the Windows Startup folder. This allows the malware to execute automatically upon system startup. A similar vulnerability, CVE-2025-6218, was patched in WinRAR in June 2025.
RARLAB, the developers of WinRAR, were notified of the flaw and promptly released a patch. The vulnerability is fixed in WinRAR version 7.13. All users, especially those in targeted industries, are urged to update their software immediately to protect against these ongoing and dangerous campaigns.
