The developers of the popular file archiving utility WinRAR have released a critical security update to address a zero-day vulnerability, tracked as CVE-2025-8088. This flaw, which affects the Windows version of the tool, is a path traversal vulnerability. It allows attackers to execute arbitrary code by tricking the application into writing files to unintended directories when extracting a specially crafted malicious archive. WinRAR version 7.13, released on July 31, 2025, includes the fix for this security defect. This is not the first time WinRAR has faced such a severe security issue, as another vulnerability, CVE-2023-38831, was heavily exploited by threat actors in 2023. This recurring pattern of zero-day exploits highlights the critical importance of keeping software updated.
While the full extent of the exploitation of CVE-2025-8088 is not yet known, there are indications that it has already been used in targeted attacks. According to a report from Russian cybersecurity firm BI.ZONE, the hacking group Paper Werewolf (also known as GOFFEE) may have leveraged this vulnerability in conjunction with another directory traversal bug, CVE-2025-6218, which was patched in June 2025. These attacks reportedly targeted Russian organizations in July 2025 through phishing emails. These emails contained malicious archives that, when opened, exploited the vulnerabilities to execute code and place files in sensitive locations, all while a decoy document distracted the victim.
The core of both CVE-2025-8088 and CVE-2025-6218 is a path traversal attack. This type of vulnerability occurs when an application fails to properly sanitize user-supplied input, allowing an attacker to manipulate file paths. In this case, attackers created malicious archives where the file paths within the archive were designed to trick WinRAR into writing files outside the intended extraction directory. For example, by including relative paths such as ../../ in a file name within the archive, an attacker could instruct the program to write a file to a sensitive system folder like the Windows Startup folder, leading to code execution upon the next system login.
The Dark Web Connection
Before the public disclosure and patching of these vulnerabilities, a threat actor named “zeroplayer” was advertising a WinRAR zero-day exploit for sale on a Russian dark web forum for $80,000. It is suspected that the Paper Werewolf hacking group may have acquired this exploit and used it in their attacks. This sequence of events, from a dark web sale to real-world exploitation, underscores a common and dangerous pattern in the cybercrime ecosystem. It shows how quickly new vulnerabilities can be weaponized and used to target organizations and individuals, making rapid patching by users and developers essential.
7-Zip Also Patches Vulnerability
Another popular file archiver, 7-Zip, also released an update to address a security flaw, CVE-2025-55188. This vulnerability, which is less severe than the WinRAR flaws with a CVSS score of 2.7, allows for an arbitrary file write due to how 7-Zip handles symbolic links during extraction. This could potentially lead to code execution, particularly on Unix systems, if an attacker overwrites sensitive files like SSH keys. The issue has been fixed in 7-Zip version 25.01. This simultaneous patching of vulnerabilities in two major file archiving tools highlights a broader trend of attackers targeting these widely used utilities as a gateway to compromise systems.
Reference: