Facepalm: Researchers discovered the CVE-2025-8088 vulnerability nearly a year ago, and WinRAR's developers promptly issued a fix. Despite that, the flaw is still being exploited by a handful of resourceful cybercrime groups. Attackers continue to abuse it to steal data, carry out scams, and maintain an edge in ongoing geopolitical conflicts.
The WinRAR vulnerability tracked as CVE-2025-8088 was discovered and patched in July 2025, but the popular file archiver continues to suffer from its fallout. According to analysts at Google's Threat Intelligence Group (GTIG), the flaw remains a favored target for active exploitation by sophisticated threat actors, including groups linked to Russia and China.
GTIG highlighted the ongoing risks associated with CVE-2025-8088 in a recent report. The researchers reiterated how the vulnerability works, explaining that a consistent exploitation technique involving a path traversal flaw allows attackers to deploy malware and surveillance tools on Windows systems.
The exploit abuses Alternate Data Streams, an obscure feature of the NTFS file system that allows multiple data streams to be associated with a single filename. ADS cannot be viewed or modified through Windows' native graphical interface and has long been a favored hiding mechanism for both cybercriminals and state-sponsored actors.
Attackers can store a malicious payload inside a specially crafted RAR archive by hiding it within a file's ADS. When a user opens a decoy file from the archive using a vulnerable version of WinRAR, the concealed malware is silently extracted to an arbitrary location on the system volume. It is then placed in the Windows Startup folder, allowing it to execute automatically during the next system boot.
Rarlab released WinRAR 7.13 to address CVE-2025-8088 alongside other security issues. Despite the fix, GTIG analysts say they have observed numerous ongoing "exploitation events" centered on CVE-2025-8088 and additional WinRAR flaws.
According to Google, the vulnerability is being actively abused by Russian-linked groups targeting Ukraine's military and government institutions, by China-aligned threat actors, and by financially motivated criminal gangs attacking organizations worldwide.
GTIG also highlighted the underground exploit ecosystem that has formed around CVE-2025-8088 and similar bugs. The path traversal flaw was initially advertised on cybercrime forums by a seller known as "zeroplayer," a prominent exploit broker whose offerings have targeted widely used software including Microsoft Office, VPN clients, endpoint security tools, and Windows itself.
The researchers concluded that the continued, opportunistic exploitation of CVE-2025-8088 demonstrates the flaw's reliability and value to threat actors. The risk is amplified by the fact that WinRAR still lacks an automatic update mechanism, requiring users to manually download and install patched versions – leaving many systems exposed long after fixes are released.
Image credit: Google