CVE-2025-8088
Published: August 12, 2025
Official Description
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.
CISA KEV Advisory
RARLAB WinRAR Path Traversal Vulnerability
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Risk Analysis
This path traversal vulnerability in RARLAB WinRAR for Windows allows an attacker to execute arbitrary code by crafting malicious archive files. While a CVSS score is not available, its HIGH severity and inclusion in CISA's KEV catalog with an EPSS score of 0.03830 indicate a significant risk of exploitation.
This vulnerability is actively being exploited in the wild, as confirmed by its presence in CISA's KEV catalog. Exploitation occurs when a user processes a specially crafted archive file.
Update WinRAR to the latest secure version. Exercise caution when opening archive files from untrusted sources and implement endpoint detection and response solutions.
Technical Analysis
CVE-2025-8088 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CISA has added CVE-2025-8088 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
Exploit & PoC Resources
News & Research Mentioning CVE-2025-8088
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088, a path traversal flaw that allows an [xlite_meta score:50 src:The Hacker News xlite_fp:9adb302b2353770b48536d350b69bf9dd99b584af0c59b06b0995dabb8a54704]
Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exploited entry point open long after the fix ships.
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an [xlite_meta score:50 src:The Hacker News xlite_fp:1c7c34c60c5470654cb0872d93921142a7396db22791c35d6ffdcaa636980f80]
Key Points Introduction Check Point Research has identified several campaigns targeting multiple countries in the Southeast Asian region. These related activities have been collectively categorized under the codename “Amaranth-Dragon”. The campaigns demonstrate a clear focus on government entities across the region, suggesting a motivated threat actor with a strong interest in geopolitical intelligence. The campaigns […] The post Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia appeared first on Check Point Research. [xlite_meta score:47 src:Check Point Research xlite_fp:32fa7a3176442064854afd6063fdd1a33174a9c2636d639159aaf0f91f597efe]
Introduction The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness. In this blog post, we provide details on CVE-2025-8088 and the typical exploit chain, highlight exploitation by financially motivated and state-sponsored espionage actors, and provide IOCs to help defenders detect and hunt for the activity described in this post. To protect against this threat, we urge organizations
All References (2)
Quick Facts
Known Threat Actors
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-8088 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1