August 10th, Kuai Technology reports that a critical vulnerability, tracked as CVE-2025-8088, has been addressed in the latest release of WinRAR, version 7.13. This update comes in response to active exploitation of the flaw, discovered by ESET researchers.
The vulnerability resides within the core library, UNRAR.dll, responsible for archive decompression. Attackers can craft malicious archives that trick the software into writing files to locations outside of the user’s intended directory during the extraction process. This is a significant risk as it bypasses user consent for file placement.
ESET’s findings indicate that attackers exploited this vulnerability to place malware in sensitive system locations, such as the Startup folder. By strategically placing executable files within the path “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup,” malicious code is designed to execute automatically upon user login. This effectively grants attackers remote code execution capabilities on compromised machines, allowing them to control the affected system without further user interaction.
The attacks are attributed to the RomCom group, which has been active since at least 2022. The RomCom malware itself is a Remote Access Trojan (RAT). Its modus operandi involves social engineering tactics to deceive users. The group often impersonates websites of popular software. When unsuspecting users download and install these disguised installers, the RAT is covertly installed along with it, making the exploitation chain particularly insidious.
It is crucial for all WinRAR users to take immediate action. To ensure protection against this vulnerability, users need to manually visit the official WinRAR website and install version 7.13. According to WinRAR developers, the Unix versions of RAR and UnRAR, as well as the Android version of RAR, are not affected by this particular vulnerability. This distinction highlights the targeted nature of the exploitation and the importance of platform-specific security updates.
