WinRAR developers have released an urgent security update to address an actively exploited zero-day vulnerability that allows attackers to achieve arbitrary code execution through specially crafted archive files. The critical flaw, tracked as CVE-2025-8088 with a CVSS score of 8.8, affects the path traversal mechanism in Windows versions of WinRAR, RAR, UnRAR, and related tools, enabling malicious actors to manipulate file extraction paths and execute code on victim systems. The vulnerability was discovered by ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek, and has been patched in WinRAR version 7.13 released on July 31, 2025.
The zero-day exploit was reportedly advertised on the Russian-language dark web forum Exploit.in by a threat actor called “zeroplayer” for $80,000 on July 7, 2025, before being acquired and weaponized by the hacking group Paper Werewolf (also known as GOFFEE). Russian cybersecurity firm BI.ZONE reported that Paper Werewolf combined CVE-2025-8088 with another recently patched WinRAR vulnerability, CVE-2025-6218, in targeted attacks against Russian organisations throughout July 2025. The attacks utilised phishing emails containing malicious archives that, when opened, exploited these vulnerabilities to write files outside intended directories and achieve code execution while displaying decoy documents to victims.
The exploitation technique involves creating RAR archives with files containing alternative data streams that include relative paths, allowing attackers to write arbitrary payloads to sensitive locations such as the Windows Startup folder for persistent code execution. This represents the latest in a series of WinRAR vulnerabilities that have attracted significant threat actor attention, following the heavily exploited CVE-2023-38831 that was used by multiple Chinese and Russian threat groups. The incident coincides with a separate security update for 7-Zip, which patched CVE-2025-55188, a symbolic link handling flaw that could enable arbitrary file writes and potential code execution, demonstrating the ongoing security challenges facing popular file archiving utilities used by millions of users worldwide.