Ethical Hacking News
A recently fixed WinRAR vulnerability was exploited by attackers using a phishing attack. The exploit allows attackers to plant malware on archive extraction, putting users at risk of remote code execution. This serves as another reminder of the importance of keeping software up-to-date and prioritizing cybersecurity measures.
WinRAR vulnerability CVE-2025-8088 has been exploited using a directory traversal vulnerability. The exploit allows attackers to extract files into a file path selected by the attacker, enabling remote code execution. The attack uses phishing emails with attachments containing RAR files, actively exploiting the vulnerability. RomCom group, linked to Cuba and Industrial Spy ransomware operations, has used this exploit to deliver custom malware. Regular software updates and security awareness are crucial in safeguarding against zero-day exploits.
The cybersecurity landscape has witnessed numerous zero-day exploits in recent times, leaving software developers and users alike scrambling to address these vulnerabilities. The latest addition to this growing list is the exploitation of a previously fixed WinRAR vulnerability tracked as CVE-2025-8088. This particular exploit leverages a directory traversal vulnerability that was addressed in WinRAR 7.13, which allows attackers to extract files into a file path selected by the attacker.
When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll can be tricked into using a path defined in a specially crafted archive instead of the user-specified path. This vulnerability is particularly concerning as it enables attackers to create archives that extract executables into autorun paths, such as the Windows Startup folder located at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (Local to user) and %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (Machine-wide). The next time a user logs in, the executable will automatically run, allowing the attacker to achieve remote code execution.
The exploitation of this vulnerability is notable for its use in phishing attacks. According to Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, who discovered this flaw, it was actively exploited in spearphishing emails with attachments containing RAR files. These archives exploited the CVE-2025-8088 vulnerability to deliver RomCom backdoors. RomCom is a Russia-aligned group known for its use of zero-day vulnerabilities in attacks and custom malware for data theft, persistence, and as backdoors.
The group has previously been linked to numerous ransomware operations, including Cuba and Industrial Spy. The ESET team is working on a report regarding the exploitation, which will be published at a later date. In light of this vulnerability, it is strongly advised that all users manually download and install the latest version from win-rar.com to be protected from this vulnerability.
Furthermore, this exploit highlights the importance of regular software updates and security awareness. The use of zero-day exploits underscores the need for robust cybersecurity measures, including the use of secure software development practices, vulnerability assessment, and penetration testing.
In conclusion, the exploitation of a previously fixed WinRAR vulnerability serves as a stark reminder of the ever-evolving threat landscape in the digital age. It is imperative that users prioritize their software security through regular updates, awareness campaigns, and robust cybersecurity measures to safeguard against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/WinRAR-Zero-Day-Exploited-to-Install-Malware-through-Archive-Extraction-ehn.shtml
Published: Fri Aug 8 17:56:42 2025 by llama3.2 3B Q4_K_M
