Introduction

For many years, WinRAR has been a presence in many Windows systems, functioning as a trusted tool for compressing, storing, extracting, and sharing files in both enterprise and home environments. Its ubiquity has made it practically invisible, considered safe by default. The disclosure of CVE-2025-6218 and CVE-2025-8088 changed that. These identified WinRAR vulnerabilities demonstrate how specially crafted archive files can be weaponized, enabling attackers to execute malicious code, bypass security controls, and compromise systems simply through archive file extraction.

WinRAR vulnerabilities: new attack paths uncovered

Two high-severity vulnerabilities in the Windows version of WinRAR have emerged in 2025, each adding distinct attack capabilities for threat actors:

• CVE-2025-6218 (published date 2025-06-20) is a classic directory traversal vulnerability in WinRAR’s archive extraction logic. Because WinRAR did not properly validate file paths embedded in archives, specially crafted RAR files could write files outside the user-specified extraction directory – for example, into system or startup folders – leading to arbitrary code execution without further user interaction. This path traversal vulnerability was fixed in WinRAR version 7.12, released in June 2025.
• CVE-2025-8088 (published date 2025-08-08) builds on the directory traversal attack surface, exploiting NTFS Alternate Data Streams (ADS) as an additional vector: attackers embed malicious payloads in hidden ADS entries within an archive. During extraction, these hidden streams can be deposited into attacker-chosen locations (including autorun and startup paths), enabling stealthy persistence and remote code execution when the system boots. This ADS-based path traversal was patched in WinRAR version 7.13, released on July 30, 2025.

Initial foothold

Both vulnerabilities are well-suited for phishing-based delivery, where malicious archives are distributed via email, messaging platforms, or file-sharing services and submitted as legitimate documents, for example, a resume of a job applicant. Once the victim extracts the archive using a vulnerable version of WinRAR, the exploitation occurs automatically. Via path traversal, attackers can place files in sensitive locations such as startup folders or other trusted paths, effectively bypassing user intent and security expectations. In the case of the ADS-based technique, malicious payloads can be written more stealthily, reducing visibility to both users and some security controls.

The practical use of both flaws has already been observed in the wild. Multiple threat groups, including RomCom and Paper Werewolf, have leveraged these techniques in phishing campaigns. This low-interaction execution model makes the vulnerabilities particularly dangerous, as no additional macros, scripts, or installer prompts are required to initiate compromise.

PoC – analysis of a real malware

Opening the file with WinRAR (even with the patched version), nothing apparent is seen, just a simple archive with a PDF file inside. The PDF file itself looks like a legitimate CV with realistic personal details; the only obviously fabricated element is the phone number (555 number).

Checking the same archive with 7z (another popular archiving tool) reveals another picture, 30 files hidden in ADS:

20 of these ADS entries serve no functional purpose beyond generating noise. When extracted, they trigger WinRAR warnings and are written to temporary directories, with each file containing nothing more than the string “noise” followed by an index number. Their naming convention – examples include files such as “Rar$36543.44269” – closely resembles WinRAR’s own temporary artifacts. Likely to desensitize users to the errors, making the activity appear as benign extraction errors rather than malicious behavior. Amid this clutter, ten ADS entries carry the actual payloads (two different payloads, using different path traversal sequences such as “../” and “../../”). Files are dropped in the victims’ execution directories.

The first file is placed in “AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk”, enabling execution on user logon. The second is a malicious DLL written to “AppData\Local\Temp\msedge.dll”.

The Updater.lnk executes when the user logs in and runs the command, modifying the user’s registry to point a legitimate COM object to a malicious DLL. This technique is known as a COM hijacking, abusing the CLSID associated with PSFactoryBuffer to redirect execution flow. Once the hijack is in place, Windows loads the attacker-controlled “msedge.dll” instead of the legitimate component, resulting in the execution of a trojan.

Conclusion

The abuse of CVE-2025-6218 and CVE-2025-8088 shows how attackers can weaponize a trusted tool like WinRAR to gain initial access with minimal user interaction. By exploiting path traversal and ADS techniques, threat actors have turned simple archive extraction into a viable attack entry path. Maintaining widely used software up to date is crucial, as timely patching remains the most effective defense against these attacks.

Resources and further reading

• NIST NDV – CVE-2025-6218 and CVE-2025-8088
• MalwareBytes – WinRAR vulnerability exploited by two different groups
• MalwareBazaar Database – Sample
• SPECTEROPS – Revisiting COM Hijacking