cbcvebase.
CVE-2025-8088
published 2025-08-08

CVE-2025-8088: A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This…

PriorityP193high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-02
Exploited in the wild
EPSS
85.78%
99.7th percentile
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.

Affected

3 ranges
VendorProductVersion rangeFixed in
dtsearchdtsearch< 2023.012023.01
rarlabwinrar< 7.137.13
win.rar_gmbhwinrar<= 7.12

Detection & IOCsextracted from sources · hover to see the quote

path%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
path%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp
  • Monitor for files written to Windows Startup folders during or immediately after WinRAR archive extraction, as CVE-2025-8088 is exploited by crafting archives that force extraction into autorun paths.
  • Check Point IPS signature 'RARLAB WinRAR Directory Traversal (CVE-2025-8088)' can be used for network-level detection of exploitation attempts.
  • Weaponized phishing archives exploit CVE-2025-8088 to write malware into the Windows Startup folder, enabling automatic execution for ransomware and credential theft payloads.
  • WinRAR versions up to and including 7.12 on Windows are vulnerable; flag any endpoints running these versions as high priority for patching or mitigation.
  • Unix/Linux/Android versions of RAR/UnRAR are not affected; scope detection and patching efforts to Windows endpoints only.
  • ·WinRAR does not include an auto-update feature, meaning vulnerable versions will persist on endpoints unless manually updated by users or pushed via patch management.
  • ·The path traversal can be triggered when extracting to any user-specified path; the vulnerability lies in WinRAR's handling of attacker-controlled paths embedded in the archive, not in the destination chosen by the user.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
cisa8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.