HOMEVULNERABILITIESCVE-2025-8088
HIGHCISA KEVIN THE WILD

CVE-2025-8088

Published: August 12, 2025

EPSS:3.83%probability of exploitation in 30 daysPercentile:87.9th

Official Description

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.

NVD Source

CISA KEV Advisory

RARLAB WinRAR Path Traversal Vulnerability

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.

Added to KEV: 2025-08-12Federal patch deadline: 2025-09-02
Required Action (CISA)

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Risk Analysis

This path traversal vulnerability in RARLAB WinRAR for Windows allows an attacker to execute arbitrary code by crafting malicious archive files. While a CVSS score is not available, its HIGH severity and inclusion in CISA's KEV catalog with an EPSS score of 0.03830 indicate a significant risk of exploitation.

This vulnerability is actively being exploited in the wild, as confirmed by its presence in CISA's KEV catalog. Exploitation occurs when a user processes a specially crafted archive file.

Recommended Action

Update WinRAR to the latest secure version. Exercise caution when opening archive files from untrusted sources and implement endpoint detection and response solutions.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2025-8088 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CISA has added CVE-2025-8088 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2025-8088

WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
The Hacker News· Jun 9, 2026

Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an [xlite_meta score:50 src:The Hacker News xlite_fp:9adb302b2353770b48536d350b69bf9dd99b584af0c59b06b0995dabb8a54704]

Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
Trend Micro Research· Jun 7, 2026

Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exploited entry point open long after the fix ships.

Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
The Hacker News· Jun 2, 2026

The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an [xlite_meta score:50 src:The Hacker News xlite_fp:1c7c34c60c5470654cb0872d93921142a7396db22791c35d6ffdcaa636980f80]

Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia
Check Point Research· Feb 4, 2026

Key Points Introduction Check Point Research has identified several campaigns targeting multiple countries in the Southeast Asian region. These related activities have been collectively categorized under the codename “Amaranth-Dragon”. The campaigns demonstrate a clear focus on government entities across the region, suggesting a motivated threat actor with a strong interest in geopolitical intelligence. The campaigns […] The post Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia appeared first on Check Point Research. [xlite_meta score:47 src:Check Point Research xlite_fp:32fa7a3176442064854afd6063fdd1a33174a9c2636d639159aaf0f91f597efe]

Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
Mandiant Blog· Jan 27, 2026

Introduction The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness. In this blog post, we provide details on CVE-2025-8088 and the typical exploit chain, highlight exploitation by financially motivated and state-sponsored espionage actors, and provide IOCs to help defenders detect and hunt for the activity described in this post. To protect against this threat, we urge organizations

All References (2)

Quick Facts

CVE IDCVE-2025-8088
SeverityHIGH
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)3.83%
PublishedAug 12, 2025

Known Threat Actors

payload
financial
CN
Oni
financial
Conti
financial
RU
wa
financial
Hive
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-8088 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.