Global Alert: Critical WinRAR Zero-Day (CVE-2025-8088) Exploited by Multiple State-Sponsored GroupsThe Google Threat Intelligence Group (GTIG) has issued a formal warning regarding a high-severity vulnerability in WinRAR, identified as CVE-2025-8088. The flaw is currently being actively exploited by a wide range of threat actors, ranging from common cybercriminals to sophisticated state-sponsored espionage groups.
The Vulnerability: Path Traversal Execution
The flaw affects WinRAR version 7.12 and older. It is a Path Traversal vulnerability that allows attackers to force the application to extract malicious files into unauthorized locations on a user's system such as the Windows Startup folder.
By simply opening a specially crafted archive file, a user unknowingly triggers the malware to embed itself within the system, allowing it to execute automatically upon the next reboot.
How the Attack UnfoldsHackers typically use social engineering tactics, disguising malicious payloads within archives that appear to contain benign documents like PDFs or invoices. Once the user opens or extracts the archive, WinRAR silently drops the malware into critical system directories, leading to full system compromise and the installation of secondary backdoors.
Identified Threat Actors
Google has identified several high-profile groups leveraging this flaw:
RomCom (UNC4895): A group known for developing specialized backdoors for high-value targets.
State-Sponsored Groups: Well-known APTs (Advanced Persistent Threats) including APT44, Turla, and several China-linked groups are using this exploit to distribute data-stealing tools and spyware.
The "Auto-Update" Problem
Google highlights a recurring issue in cybersecurity: even after a patch is released, millions of machines remain vulnerable. Because WinRAR lacks an automatic update system, users must manually download and install the latest version, leaving a massive global attack surface for hackers to exploit.
Urgent Action Required: The WinRAR development team strongly urges all users to update to Version 7.13 immediately. A single malicious archive is all it takes for hackers to gain total control over your device.
How to update WinRAR:
- Install the new program over the existing one.
This vulnerability (CVE-2025-8088) is similar to a notorious vulnerability from 2023 that hackers used to trick users into clicking on files with fake file extensions (extension spoofing). This reflects a trend of hackers targeting existing weaknesses in WinRAR's file handling, an older software.
In the cyber world, path traversal is like a delivery person being able to walk through your back door and leave a package in your bedroom without you noticing. The software's failure to check the "file placement path" (sanitization) is therefore one of the most dangerous vulnerabilities.
Researchers have found that users often neglect updating utility software like WinRAR or 7-Zip more than their browsers or operating systems, thinking that "it's just a file extraction program" and shouldn't be dangerous. Hackers exploit this psychological vulnerability as a primary entry point.
If you can't afford frequent updates, experts recommend trying the native support for .rar and .7z files in Windows 11. This offers higher security because it's directly managed by Microsoft's security system.
Security Alert: Notepad++ Legacy Update Server Hacked by "Chrysalis" Group.
Source: bleepingcomputer
Global Alert: Critical WinRAR Zero-Day (CVE-2025-8088) Exploited by Multiple State-Sponsored GroupsThe Google Threat Intelligence Group (GTIG) has issued a formal warning regarding a high-severity vulnerability in WinRAR, identified as CVE-2025-8088. The flaw is currently being actively exploited by a wide range of threat actors, ranging from common cybercriminals to sophisticated state-sponsored espionage groups.
The Vulnerability: Path Traversal Execution
The flaw affects WinRAR version 7.12 and older. It is a Path Traversal vulnerability that allows attackers to force the application to extract malicious files into unauthorized locations on a user's system such as the Windows Startup folder.
By simply opening a specially crafted archive file, a user unknowingly triggers the malware to embed itself within the system, allowing it to execute automatically upon the next reboot.
How the Attack UnfoldsHackers typically use social engineering tactics, disguising malicious payloads within archives that appear to contain benign documents like PDFs or invoices. Once the user opens or extracts the archive, WinRAR silently drops the malware into critical system directories, leading to full system compromise and the installation of secondary backdoors.
Identified Threat Actors
Google has identified several high-profile groups leveraging this flaw:
RomCom (UNC4895): A group known for developing specialized backdoors for high-value targets.
State-Sponsored Groups: Well-known APTs (Advanced Persistent Threats) including APT44, Turla, and several China-linked groups are using this exploit to distribute data-stealing tools and spyware.
The "Auto-Update" Problem
Google highlights a recurring issue in cybersecurity: even after a patch is released, millions of machines remain vulnerable. Because WinRAR lacks an automatic update system, users must manually download and install the latest version, leaving a massive global attack surface for hackers to exploit.
Urgent Action Required: The WinRAR development team strongly urges all users to update to Version 7.13 immediately. A single malicious archive is all it takes for hackers to gain total control over your device.
How to update WinRAR:
- Install the new program over the existing one.
This vulnerability (CVE-2025-8088) is similar to a notorious vulnerability from 2023 that hackers used to trick users into clicking on files with fake file extensions (extension spoofing). This reflects a trend of hackers targeting existing weaknesses in WinRAR's file handling, an older software.
In the cyber world, path traversal is like a delivery person being able to walk through your back door and leave a package in your bedroom without you noticing. The software's failure to check the "file placement path" (sanitization) is therefore one of the most dangerous vulnerabilities.
Researchers have found that users often neglect updating utility software like WinRAR or 7-Zip more than their browsers or operating systems, thinking that "it's just a file extraction program" and shouldn't be dangerous. Hackers exploit this psychological vulnerability as a primary entry point.
If you can't afford frequent updates, experts recommend trying the native support for .rar and .7z files in Windows 11. This offers higher security because it's directly managed by Microsoft's security system.
Security Alert: Notepad++ Legacy Update Server Hacked by "Chrysalis" Group.
Source: bleepingcomputer
Comments
Post a Comment