Last week, WinRAR 7.13 dropped with a fix for a directory traversal vulnerability tracked as CVE-2025-8088. We now have more details on the exploit, thanks to work by researchers from ESET who discovered that attackers were actively abusing the flaw.
The vulnerability exists within UNRAR.dll, a core library handling archive extraction. Attackers craft a malicious archive that can then trick the software into writing a file to a location they choose, instead of the directory a user selects.
When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path.
According to ESET"s Anton Cherepanov, Peter Košinár, and Peter Strýček, attackers exploit this vulnerability to drop payloads into sensitive system locations, like the Startup Folder. By placing an executable in a path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, the malicious code runs automatically when the user logs in. This action basically gives the attacker remote code execution on the compromised machine.
The group behind these attacks is believed to be the RomCom crew. The RomCom malware itself is a Remote Access Trojan (RAT) that has been in use since at least 2022. It works by duping people through social engineering, sometimes impersonating websites for popular software like KeePass, so when some innocent user downloads the installer, the RAT is installed alongside it. The group has historically focused its operations against countries like Ukraine and several NATO countries.
This is not the first time WinRAR has had to deal with this kind of security problem this year. Before this, the company fixed another similar directory traversal vulnerability (CVE-2025-6218), affecting WinRAR versions 7.11 and earlier, in version 7.12.
As Bleeping Computer notes, WinRAR has no built-in automatic update mechanism, so anyone using the software needs to manually visit the official site and install version 7.13 to be protected. The WinRAR devs claim that Unix versions of RAR and UnRAR, along with RAR for Android, are not affected.