Outdated WinRAR Versions Are a Security Nightmare — Update Immediately

Outdated WinRAR Versions Are a Security Nightmare — Update Immediately

Last week, WinRAR released version 7.13, quietly fixing a serious security vulnerability tracked as CVE-2025-8088. Now, thanks to new research from ESET, we know this wasn’t just another routine patch — it was a response to active exploitation by a known cybercrime group.

The flaw, a directory traversal vulnerability in the core UNRAR.dll library, allowed attackers to escape the intended extraction folder and drop malicious files anywhere on a victim’s system — including highly sensitive locations like the Windows Startup folder. And all it took was opening a seemingly harmless archive.

How the Attack Works

When you extract a file in WinRAR, you expect it to go where you choose. But this vulnerability lets attackers override that path using a specially crafted archive. The software, instead of respecting the user’s selected destination, follows a hidden, malicious path embedded in the compressed file.

According to ESET researchers Anton Cherepanov, Peter Košinár, and Peter Strýček, attackers exploited this to place executable malware in:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

 

Once there, the payload runs automatically every time the user logs in — giving the attacker persistent remote access to the machine. This is not just data theft; it’s full system compromise.

The attack is silent and requires no extra user interaction — no “Run” prompts, no warnings. Just opening the archive is enough.

Who’s Behind the Attacks?

ESET links the campaign to a cybercriminal group known as RomCom, which has been active since at least 2022. RomCom primarily uses social engineering to trick users — often by mimicking legitimate software download pages, such as fake KeePass installers. When victims download what they think is a safe tool, they unknowingly install the RomCom Remote Access Trojan (RAT) alongside it.

Once inside, the RAT gives attackers full control: logging keystrokes, stealing passwords, accessing files, and even activating webcams. The group has historically targeted Ukraine and several NATO countries, suggesting possible geopolitical motives behind some of its operations.

The use of the WinRAR vulnerability appears to be a new delivery method — one that’s faster, stealthier, and harder to detect than older phishing-based tactics.

Not the First — and Maybe Not the Last

This isn’t WinRAR’s first security scare in 2025. Just weeks earlier, version 7.12 patched another similar directory traversal flaw — CVE-2025-6218 — affecting all versions prior to 7.11. The fact that two such vulnerabilities have surfaced in quick succession raises concerns about the security of legacy archive-handling code.

What makes these flaws especially dangerous is how deeply embedded WinRAR is in everyday workflows — especially in regions where file compression is still a daily necessity. And unlike most modern software, WinRAR has no automatic update system. That means millions of users could be running outdated, vulnerable versions for months — or even years.

How to Stay Protected

1. Update to WinRAR 7.13 Immediately
   Go directly to the official site: rarlab.com . Do not rely on third-party download portals, which often host older versions.

2. Avoid Suspicious Archives
   Be extra cautious with .rar, .zip, or .7z files from unknown sources — especially if they come via email, messaging apps, or software cracks.
3. Check Your Startup Programs
   Press Ctrl + Shift + Esc, go to the Startup tab, and look for anything unfamiliar. Malware often hides here.
4. Run a Full System Scan
   Use Microsoft Defender or another trusted antivirus to check for signs of infection, especially if you’ve opened archives recently.
5. Note: Unix and Android Are Safe
   According to WinRAR’s developers, Unix-based systems (Linux, macOS) and RAR for Android are not affected by this vulnerability.