Google‘s Threat Intelligence Group has confirmed that a critical security flaw in the widely used WinRAR file archiver—tracked as CVE-2025-8088 and patched in July 2025—is being actively exploited in ongoing cyberattacks by both nation-state actors, including groups linked to Russia and China, and financially motivated cybercriminals. Attackers are exploiting this path-traversal vulnerability by crafting malicious RAR archives that silently drop malware into Windows systems—often placing payloads into startup folders to ensure persistence and automatic execution. These campaigns have been observed targeting government, military, technology, commercial, and other organizations globally, using a range of malicious payloads from remote access trojans to information stealers. Despite the patch being available for six months, unpatched WinRAR installations continue to be a frequent vector for intrusion and persistence, underscoring the importance of updating software promptly and practicing robust cybersecurity hygiene.
Sources
https://cyberscoop.com/winrar-defect-active-exploits-google-threat-intel/
https://www.securityweek.com/apts-cybercriminals-widely-exploiting-winrar-vulnerability/amp/
https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
Key Takeaways
• Multiple advanced persistent threat (APT) groups and financially motivated threat actors are actively exploiting the WinRAR vulnerability CVE-2025-8088 months after a patch was issued.
• The flaw allows attackers to place malicious files into critical system locations like Windows Startup folders, enabling persistent access and automatic execution of malware.
• Despite a patch release in July 2025, many systems remain unpatched, leaving organizations and users exposed to espionage, malware deployment, and other attacks.
In-Depth
The cybersecurity landscape is once again reminding organizations and individuals that vigilance against vulnerabilities doesn’t end at the point of patch issuance. In late July 2025, WinRAR—a ubiquitous file-archiving and compression tool used widely across Windows environments—released a patch to address a significant security issue identified as CVE-2025-8088. This flaw, a path-traversal vulnerability, allows attackers to craft malicious RAR archives that exploit how the software handles file paths, enabling them to write arbitrary files to locations on a victim’s system that the user did not intend. More than six months after that patch became available, Google’s Threat Intelligence Group has confirmed that this vulnerability remains actively exploited in the wild, with both nation-state actors and criminal organizations continuing to leverage it to gain access to systems, deploy malware, and maintain long-term access. The persistence of exploit activity highlights a broader problem endemic to software security: patch adoption lag. Even with a fix available for months, a significant number of installations remain vulnerable, providing fertile ground for ongoing exploit campaigns.
Behind these attacks are a diverse array of malicious actors. State-sponsored groups linked to Russia, including Sandworm and Turla, have been observed using the flaw in targeted attacks against government, military, and technology sector entities. China-linked actors have been seen deploying malware such as PoisonIvy through crafted archives. At the same time, financially motivated cybercriminals have exploited the same technique to install commodity remote access trojans and information stealers on commercial and private networks. This combination of espionage and criminal activity underscores the versatile utility of this exploit once in an attacker’s toolkit.
The exploitation mechanism often involves embedding a malicious component within a benign-looking file inside a RAR archive. When the unsuspecting user opens the archive with an outdated version of WinRAR, the vulnerable path-handling process can extract and write the malicious files into sensitive system locations like the Windows Startup folder. Because these files then execute with each system restart, attackers gain persistent access without overt indicators that anything has been compromised. This stealthy persistence makes detection more difficult and allows attackers to carry out follow-on activities, such as establishing backdoors, exfiltrating data, or deploying additional payloads.
From a defensive standpoint, the ongoing exploitation of CVE-2025-8088 reinforces why timely patching and software update practices are critical components of risk mitigation. Organizations with outdated WinRAR installations have exposed themselves to avoidable risk. Beyond patching, comprehensive endpoint protection, robust intrusion detection capabilities, and user education around the risks of opening untrusted archive files are key complementary strategies. Given the wide availability of proof-of-concept exploit code and the commoditization of this exploit in underground markets, even less sophisticated adversaries can now leverage the vulnerability to significant effect.
In conclusion, while the existence of a patch for CVE-2025-8088 should, in theory, sharply reduce the threat profile of this vulnerability, real-world exploitation data shows that threat actors continue to capitalize on unpatched systems. That persistence of risk is a stark reminder that cybersecurity is an ongoing process requiring continuous attention to updates, threat intelligence, and defensive practices. Failing to keep software current not only invites avoidable compromise but also amplifies an organization’s attack surface in an environment where both nation-state and criminal groups are constantly seeking out weaknesses to exploit.