What just happened? A serious security flaw has been discovered in the Windows version of WinRAR, prompting urgent warnings for users to update immediately. The vulnerability – tracked as CVE-2025-8088 and already exploited in real-world phishing attacks – allows attackers to craft malicious archive files that can place content in unauthorized locations on a victim's system, including Windows folders that automatically execute programs at startup.

Once a malicious file is placed in these folders, it can install malware or open a hidden backdoor without any further action from the user.

Under normal conditions, WinRAR should only extract files into the destination folder specified by the user. However, this flaw – classified as a path traversal vulnerability – can trick the software into placing files in highly sensitive system locations, such as the Windows startup folders for individual users or for all users on the machine.

Malware placed in these locations runs automatically every time the computer restarts, giving attackers persistent control over the device. The issue affects Windows versions of WinRAR and related tools, including RAR, UnRAR, the Portable UnRAR source code, and UnRAR.dll. Versions for Unix or Android are not affected.

The vulnerability was discovered by ESET security researchers Anton Cherepanov, Peter Košinár, and Peter Strýček. Their investigation revealed that the hacking group known as RomCom – also called Storm-0978, Tropical Scorpius, or UNC2596 – has actively exploited the flaw in spear-phishing campaigns.

In these attacks, victims received emails containing infected RAR files. When opened with outdated versions of WinRAR, the malicious files deployed RomCom malware, which can steal sensitive information, install additional malware, and maintain long-term, hidden access to compromised systems.

RomCom is linked to Russian-speaking cyber-espionage operations and is known for leveraging undisclosed software vulnerabilities in both spying and ransomware attacks. Its malware often uses encrypted communications, hides within legitimate system tools, and is designed to evade security detection.

To address the issue, WinRAR's developers released version 7.13 Final on July 30, 2025. This update blocks archive files from placing content outside the user-specified extraction location and also fixes several minor unrelated bugs. However, WinRAR does not update automatically – users must manually download and install the new version from the official website.

With over half a billion users worldwide, WinRAR is a high-value target for cybercriminals. This is not the first security flaw to affect the software in recent months; earlier in 2025, another vulnerability involving malicious archive files was also patched.

Security experts stress the importance of keeping WinRAR updated. They also advise caution when opening email attachments from unknown senders, recommend using antivirus software that can detect threats hidden in archive files, and suggest regularly checking startup folders for unfamiliar files, as these are common malware entry points.