WinRAR, NTFS ADS path-traversal arbitrary code execution (WinRAR zero-day)

Overview

CVE-2025-8088 is a high-severity path-traversal vulnerability in the Windows builds of WinRAR and the related RAR/UnRAR command-line tools and library. A crafted RAR archive can cause WinRAR to drop files outside the chosen extraction directory when a victim opens or extracts it, leading to arbitrary code execution. The NVD assigns a primary CVSS v3.1 base score of 8.8 (High). User interaction is required (the victim must extract the archive), which is the only barrier to what is otherwise a remote, low-complexity attack.

The flaw was discovered by ESET researchers Anton Cherepanov, Peter Kosinar, and Peter Strycek, who caught it being used as a zero-day in active espionage campaigns, including operations attributed to the RomCom threat actor, weaponising malicious archives delivered by email. RARLAB published a fix in WinRAR 7.13, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on 12 August 2025.

Technical Details

The vulnerability is a path traversal classified as CWE-35 (Path Traversal: '.../...//'). When WinRAR extracts an archive, the destination path for each entry is supposed to be confined to the user-selected output folder. The affected versions mishandle entry paths that combine directory-traversal sequences with NTFS alternate data stream (ADS) syntax. By crafting archive members whose stored names embed traversal components and ADS markers, an attacker causes the extraction routine to resolve the final path to a location of their choosing rather than under the extraction root.

In the observed in-the-wild attacks, the crafted archives planted executable payloads or shortcuts into the per-user Windows Startup folder, so that the dropped file would run automatically the next time the user logged in. The technique is effective against ordinary double-click extraction workflows: the user only sees benign-looking files in the window, while the malicious entries are silently written elsewhere. Because the bug lives in the UnRAR extraction code, it affects not only the WinRAR GUI but also the bundled command-line RAR and UnRAR utilities and the UnRAR.dll/library and portable source on Windows. Non-Windows builds are not affected by this Windows-specific path/ADS handling.

The issue is fixed in WinRAR 7.13 and the corresponding 7.13-era RAR/UnRAR command-line tools, UnRAR.dll, and portable UnRAR source. Note that WinRAR does not auto-update, so a large installed base remained vulnerable after the patch shipped.

Impact

• Arbitrary code execution on the victim's Windows host when a crafted archive is extracted.
• Files written outside the chosen extraction directory, including persistence locations such as the Startup folder.
• High loss of confidentiality, integrity, and availability (CIA all High) on the compromised account and, via persistence, across subsequent sessions.
• Practical real-world exploitation in targeted espionage campaigns delivering malicious RAR attachments.
• Wide exposure because WinRAR lacks an auto-update mechanism, leaving many systems on vulnerable builds long after the fix.

Mitigation

1. Upgrade WinRAR to version 7.13 or later on every Windows system; the same fix applies to the command-line RAR and UnRAR tools, UnRAR.dll, and the portable UnRAR source, so rebuild or update any software that bundles them.
2. Because WinRAR does not update itself, manually download the patched installer from the official win-rar.com site and roll it out through your software management process.
3. Treat unexpected RAR (and other archive) attachments as hostile; do not extract archives from untrusted or unsolicited senders.
4. Where feasible, extract untrusted archives only inside a sandbox or disposable VM with no network access and no logon persistence.
5. Apply application allowlisting and restrict write/execute from user-writable persistence locations (Startup folders, per-user autorun paths) so a dropped payload cannot auto-execute.
6. After updating, audit endpoints for files that may have been planted by earlier malicious extractions, focusing on Startup folders and recently created executables.

Detection

Focus first on the persistence locations the exploit abuses. Monitor the per-user and all-users Startup folders (%AppData%\Microsoft\Windows\Start Menu\Programs\Startup and the ProgramData equivalent) for newly created executables, scripts, or shortcuts, and correlate their creation time with WinRAR or UnRAR extraction activity. A file appearing in a Startup folder immediately after a WinRAR.exe, Rar.exe, or UnRAR.exe process ran against a downloaded archive is a high-confidence indicator. EDR file-creation telemetry with the creating process attributed makes this correlation straightforward.

NTFS alternate data streams are central to the technique, so hunt for unexpected ADS on files written during or after archive extraction; tools and queries that enumerate streams (for example listing :streamname:$DATA entries) can surface anomalous streams that a benign archive would never create. Combine this with monitoring for path-traversal artifacts: files materialising in directories that are parents of, or entirely outside, the folder the user selected for extraction. Any extraction that results in writes above the chosen output root should be treated as exploitation of CVE-2025-8088.

At the process level, watch for the WinRAR/UnRAR process tree spawning child processes, or for a freshly dropped binary executing at the next logon, which indicates the persistence fired. Email and web gateways should flag inbound RAR archives, especially those delivered to high-value recipients, and where archive inspection is available, scan for entries whose internal names contain traversal sequences or ADS markers. Validate your patch posture across the fleet by inventorying installed WinRAR versions and flagging anything below 7.13; given the absence of auto-update, expect stragglers, and remember the same fix applies to any internal tooling that bundles UnRAR.dll or the UnRAR source. Build a hunting query that joins three facts together: a WinRAR or UnRAR process, a recently downloaded .rar file as its input, and a file write that lands outside the extraction directory or inside a Startup folder; any single archive that produces all three is almost certainly malicious. Because exploitation predated public disclosure, retain and re-examine endpoint and email logs back through mid-2025, and pivot on ESET-published indicators for the RomCom and related campaigns when triaging suspected intrusions.