WinRAR Gets Weaponized
On August 8, ESET researchers reported that Russia-linked threat actor RomCom exploited WinRAR CVE-2025-8088 as a zero-day in spearphishing attacks to deploy various backdoors.
The path traversal flaw, fixed in version 7.13, allowed crafted archives to place executables in autorun paths for remote code execution. So the attack was straightforward: send someone a malicious RAR file that looks legitimate (for example, a CV being sent, and viewing the archive in WinRAR, it would show only PDF), they extract it, and a backdoor gets installed automatically.
It was the second time a path traversal vulnerability was exploited in WinRAR (the first being in June, CVE-2025-6218). Now the exploit relied on the ADS trick – hiding executables in NTFS alternate data streams, making it virtually invisible to the victim.
Users must manually update WinRAR, which lacks auto-update. If you’re still running version 7.12, you’ve got a vulnerability on your system and probably don’t realize it. By the time ESET went public, RomCom had already been using this in active spearphishing campaigns for weeks.
What Else Happened in August 2025?
The rest of August saw attackers moving upstream to exploit the very platforms we trust to manage our data. It was a month of massive supply chain ripples and high-stakes statecraft.
Stay vigilant, automate your hygiene, and remember that your security is only as strong as its most overlooked third-party link.
Sources: