A security flaw in WinRAR lets malware install during Windows startup

WinRAR's recent security flaw risks malware running at startup, urging user updates.

: A significant security vulnerability in WinRAR, known as CVE-2025-8088, has been exploited in phishing attacks that place malware files in Windows startup folders. This flaw allows attackers to run malware automatically every time Windows restarts, affecting only the Windows versions of WinRAR and related tools. ESET researchers discovered this flaw, and it has been used by a group named RomCom in spear-phishing emails resulting in the spread of malware that steals information and maintains access. To counter this, WinRAR developers released version 7.13 on July 30, 2025, which needs to be manually installed to prevent this vulnerability.

A serious vulnerability has been discovered within the popular archive software WinRAR that poses a severe risk to Windows users. Tracked as CVE-2025-8088, this flaw allows attackers to create malicious archives designed to place files in unauthorized locations, specifically targeting the Windows folders that execute programs during system startup. This type of vulnerability, classified as a path traversal vulnerability, can potentially allow malware to run silently every time the computer is rebooted, giving hackers persistent access to the system.

The vulnerability was brought to light by a group of security experts, including Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. Their detailed investigation revealed its exploitation by a notorious hacking group known as RomCom, also referred to in cybersecurity circles as Storm-0978, Tropical Scorpius, or UNC2596. This group is known for their expertise in cyber-espionage and was observed leveraging the flaw in spear-phishing operations, targeting individuals by sending emails embedded with malicious RAR files. Upon opening them with an older version of WinRAR, victims unwittingly allowed malware to be installed, capable of stealing sensitive data and allowing sustained unauthorized access.

RomCom's infiltration techniques notably involve email-borne spear-phishing attacks and emphasize the usage of encrypted communications within their malware to evade detection. Their malware is particularly adept at hiding among legitimate system processes, disguised well enough to remain under most security radars. The latest exploit involving WinRAR is not their first, as they have a history of exploiting previously undisclosed software vulnerabilities for both surveillance and ransomware attacks.

Urgent countermeasures have been advised in light of these revelations. The developers behind WinRAR responded by releasing an updated version of their software, version 7.13 Final, on July 30, 2025. This update is crucial as it prevents such archive files from extracting contents to any folders other than the ones specified by the user, effectively neutralizing the current exploit's capability. However, a noteworthy stipulation is that WinRAR does not automatically update itself, necessitating users to manually download and install this critical patch from the official website to safeguard against this vulnerability.

Given WinRAR's considerable user base — exceeding 500 million globally — coupled with its prior security flaws, experts highlight the importance of keeping the software current to shield against potential threats. They encourage users to be skeptical of email attachments from unidentified senders and recommend the use of comprehensive antivirus software that can identify disguised threats in archives. Regularly examining system startup folders for telltale signs of malware is also recommended as a preventative measure.

Sources: ESET, WinRAR, RomCom

SecurityCybersecuritySoftware