A critical security vulnerability in WinRAR, a widely used file compression tool for Windows, is being actively exploited by malicious actors to gain unauthorized control over user systems. Tracked as CVE-2025-8088, this flaw allows attackers to stealthily place malicious files into sensitive system directories, effectively compromising Windows machines. Despite a patch being available since July 30, 2025, the vulnerability continues to pose a significant threat to millions of users worldwide.
The exploitation of this WinRAR vulnerability has been observed across campaigns targeting a diverse range of organizations, from government-backed espionage operations linked to Russia and China to financially motivated cybercriminals. Threat actors are weaponizing CVE-2025-8088 to deploy malware, steal sensitive credentials, and establish persistent access to compromised systems. This widespread exploitation was detailed by Google Cloud researchers, who identified its use in numerous attack campaigns.
WinRAR Vulnerability Exploited for System Control
Google Cloud researchers have documented the extensive exploitation of CVE-2025-8088, highlighting its use in multiple attack campaigns. These campaigns have targeted Ukrainian military and government organizations, technology companies, and various commercial sectors including hospitality and banking. The researchers observed a consistent pattern where attackers leverage the vulnerability to place malicious files directly into the Windows Startup folder.
This strategic placement ensures that any installed malware automatically executes each time a victim logs into their Windows system. This technique mirrors the exploitation methods seen with a previous WinRAR vulnerability, CVE-2023-3831, in 2023, underscoring a recurring trend of attackers capitalizing on unpatched software for persistent access.
Organizations and individual users remain at risk if they have not updated their WinRAR software to version 7.13 or later. Security experts universally emphasize the critical importance of immediate patching, noting that attackers often continue to exploit known vulnerabilities long after security fixes are released and widely available. Google has stated that its Safe Browsing and Gmail security features are actively working to block files containing this exploitation, offering a layer of automated protection for users of these services.
How Attackers Exploit the WinRAR Vulnerability (CVE-2025-8088)
The technical method employed by attackers involves exploiting a path traversal weakness within WinRAR’s archive handling. This flaw allows specially crafted RAR archive files to extract malicious content to arbitrary locations on a victim’s computer. Central to this exploitation is the abuse of Alternate Data Streams (ADS), a feature within the Windows file system that attackers can manipulate to conceal malicious data.
When a victim opens a weaponized RAR archive, they are typically presented with an innocuous document, such as a PDF file. However, hidden within the archive are malicious files that are silently extracted to critical system directories. The attackers utilize directory traversal characters within the file paths inside the archive to navigate through the file system and direct the extraction to the Windows Startup folder, a critical location for automatic program execution.
For instance, a malicious archive might contain an entry named “innocuous.pdf:malicious.lnk.” By crafting a specific path within the archive, the attacker can ensure that the “malicious.lnk” file is written directly into the Startup folder. Once this malicious shortcut is in place, it will automatically execute when the user next logs into their Windows account, granting attackers persistent control without requiring further user interaction.
This sophisticated attack vector has proven effective across a range of global campaigns. Russian threat groups, such as UNC4895 and APT44, have utilized this vulnerability in attacks targeting Ukraine. Chinese state-sponsored actors have employed it to deploy the POISONIVY malware, while other cybercriminals have used it to distribute remote access tools and information-stealing malware to victims in various regions, including Indonesia, Latin America, and Brazil.
The continued exploitation of this WinRAR vulnerability underscores the ongoing threat posed by unpatched software and the sophisticated tactics employed by diverse threat actors. Users and organizations are strongly urged to ensure their WinRAR software is updated to the latest version to mitigate the risk of compromise. The situation highlights the continuous need for vigilance and prompt application of security updates in the face of evolving cyber threats.