WinRAR Flaw Lets Malware Run at Startup — Update Now

A critical security vulnerability affecting the Windows version of WinRAR has been uncovered, allowing malicious actors to install malware that automatically runs when Windows starts. Tracked as CVE-2025-8088, this path traversal flaw enables attackers to craft specially designed archive files that bypass normal extraction boundaries and place harmful files in sensitive system folders, such as the Windows startup directories for both individual and all users.

What Happened?

Normally, WinRAR extracts files only to the destination folder specified by the user. However, due to this vulnerability, attackers can trick the software into extracting files into unauthorized filesystem locations, including Windows startup folders. Malware placed in these folders launches automatically at the next system boot, allowing persistent control over the device without user consent or further interaction.

This flaw affects WinRAR Windows versions up to 7.12, including related components like RAR, UnRAR, UnRAR.dll, and portable UnRAR source code. Unix and Android versions of WinRAR are not impacted by this issue.

Active Exploitation by RomCom

Discovered by security researchers from ESET—Anton Cherepanov, Peter Košinár, and Peter Strýček—the vulnerability has been exploited in real-world spear-phishing campaigns. The threat actor behind these attacks is RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596), a Russian-linked cyber-espionage group that targets financial, manufacturing, defense, and logistics sectors across Europe, Canada, and other regions.

These phishing emails contain malicious RAR attachments that exploit the flaw to install backdoors, steal sensitive data, and deploy additional malware. RomCom is known for using highly sophisticated techniques such as encrypted communication and hiding malware within legitimate system tools to evade detection.

How to Protect Yourself

WinRAR addressed the vulnerability with the release of version 7.13 Final on July 30, 2025. This update blocks extraction of files outside the user-specified location, eliminating the path traversal threat and fixing other minor bugs.

Important: WinRAR does not update automatically. All users must manually download and install version 7.13 from the official WinRAR website to protect their systems.

In addition to updating, experts advise:

• Being highly cautious when opening email attachments from unknown or unexpected senders.
• Using reputable antivirus software capable of scanning inside archive files for malicious content.
• Regularly checking Windows startup folders for unfamiliar or suspicious files to detect potential malware early.

Why It Matters

With more than half a billion users worldwide, WinRAR is a prime target for cybercriminals. This latest vulnerability and its exploitation underscore the risks posed by outdated software and the importance of timely updates. The RomCom group’s spying and ransomware campaigns demonstrate how such flaws can lead to serious security breaches affecting organizations and individuals alike.

By promptly updating to WinRAR 7.13 and practicing vigilant cybersecurity habits, users can defend against attacks exploiting this dangerous zero-day flaw.

Stay safe, update WinRAR now, and be alert to phishing attempts carrying malicious RAR files.