WinRAR Path Traversal Flaw Still Exploited by Numerous Hackers

WinRAR’s CVE‑2025‑8088 is a high‑severity path‑traversal vulnerability that abuses Windows Alternate Data Streams (ADS) to write files outside the archive’s intended directory. When a user opens a malicious RAR file, WinRAR extracts the ADS payload and places executable objects—LNK, HTA, BAT, or script files—directly into locations such as the Startup folder, granting persistence after reboot. The flaw was publicly disclosed by ESET in August 2025, but Google’s Threat Intelligence Group traced active exploitation back to mid‑July 2025, with attacks persisting into 2026. Its ease of weaponization makes it a favorite entry point for both espionage and cyber‑crime campaigns. State‑sponsored groups have quickly incorporated the exploit into targeted operations. Ukraine‑focused actors such as UNC4895 (RomCom), APT44, and Turla have delivered bespoke payloads—NESTPACKER, STOCKSTAY, and Ukrainian‑themed decoys—to military and government units, often using malicious LNK or HTA files hidden in ADS. China‑aligned teams have leveraged the same vector to drop POISONIVY BAT droppers, while financially motivated cybercriminals distribute commodity tools like XWorm, AsyncRAT, and malicious Chrome extensions. All parties appear to source functional exploit code from a market vendor known as “zeroplayer,” who priced the zero‑day between $80,000 and $300,000, underscoring a thriving underground economy. The continued abuse of CVE‑2025‑8088 illustrates how commoditized exploits lower the barrier to sophisticated attacks, allowing even low‑skill actors to achieve persistence on unpatched Windows machines. Enterprises should prioritize rapid deployment of WinRAR patches and enforce strict controls on archive handling, such as disabling ADS extraction or using alternative decompression tools. Network monitoring for anomalous LNK, HTA, or BAT file creation in startup locations can provide early detection. Ultimately, the episode reinforces the need for a proactive vulnerability‑management program that integrates threat‑intel feeds, ensuring that zero‑day exploits are mitigated before threat actors can weaponize them at scale.