CVE-2025-8088
published 2025-08-08CVE-2025-8088: A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This…
PriorityP193high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-02
Exploited in the wild
EPSS
85.78%
99.7th percentile
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dtsearch | dtsearch | < 2023.01 | 2023.01 |
| rarlab | winrar | < 7.13 | 7.13 |
| win.rar_gmbh | winrar | <= 7.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for files written to Windows Startup folders during or immediately after WinRAR archive extraction, as CVE-2025-8088 is exploited by crafting archives that force extraction into autorun paths. ↗
- →Check Point IPS signature 'RARLAB WinRAR Directory Traversal (CVE-2025-8088)' can be used for network-level detection of exploitation attempts. ↗
- →Weaponized phishing archives exploit CVE-2025-8088 to write malware into the Windows Startup folder, enabling automatic execution for ransomware and credential theft payloads. ↗
- →WinRAR versions up to and including 7.12 on Windows are vulnerable; flag any endpoints running these versions as high priority for patching or mitigation. ↗
- →Unix/Linux/Android versions of RAR/UnRAR are not affected; scope detection and patching efforts to Windows endpoints only. ↗
- ·WinRAR does not include an auto-update feature, meaning vulnerable versions will persist on endpoints unless manually updated by users or pushed via patch management. ↗
- ·The path traversal can be triggered when extracting to any user-specified path; the vulnerability lies in WinRAR's handling of attacker-controlled paths embedded in the archive, not in the destination chosen by the user. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
cisa8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-832g-3rcm-wcrf: A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive fi
ghsa_unreviewed·2025-08-08
CVE-2025-8088 [HIGH] CWE-35 GHSA-832g-3rcm-wcrf: A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive fi
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.
VulnCheck
RARLAB WinRAR Path Traversal Vulnerability
vulncheck·2025·CVSS 8.4
CVE-2025-8088 [HIGH] CWE-35 RARLAB WinRAR Path Traversal Vulnerability
RARLAB WinRAR Path Traversal Vulnerability
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.
Affected: RARLAB WinRAR
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2025-8088; https://www.acn.gov.it/portale/w/rilevato-sfruttamento-in-rete-della-cve-2025-8088-relativa-a-winrar; https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/; https:
CISA
RARLAB WinRAR Path Traversal Vulnerability
cisa·2025-08-12·CVSS 8.4
CVE-2025-8088 [HIGH] CWE-35 RARLAB WinRAR Path Traversal Vulnerability
Vulnerability: RARLAB WinRAR Path Traversal Vulnerability
Affected: RARLAB WinRAR
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8088
Remediation Due Date: 2025-09-02
Suricata
ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via HTTP (CVE-2025-8088)
suricata·2025-08-11·CVSS 8.4
CVE-2025-8088 [HIGH] ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via HTTP (CVE-2025-8088)
ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via HTTP (CVE-2025-8088)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via HTTP (CVE-2025-8088)"; flow:established,to_client; http.response_body; content:"STM"; fast_pattern; pcre:"/^.{2}\x3a[^\x00]{0,64}(?:\x2f|\x5c|%5[Cc]|%2[Ff])?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,travisgreen.net/2025/08/11/CVE-2025-8088.html; reference:cve,2025-8088; classtype:bad-unknown; sid:2063966; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_08_11, cve CVE_2025_8088, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_08_11, mitre_tactic_id TA0001, mitre_ta
Suricata
ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via raw tcp (CVE-2025-8088)
suricata·2025-08-11·CVSS 8.4
CVE-2025-8088 [HIGH] ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via raw tcp (CVE-2025-8088)
ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via raw tcp (CVE-2025-8088)
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [CORELIGHT] RAR File ADS Path Traversal Inbound via raw tcp (CVE-2025-8088)"; flow:established,to_client; app-layer-protocol:!http; content:"|00 00 03|STM"; fast_pattern; pcre:"/^.{2}\x3a[^\x00]{0,64}(?:\x2f|\x5c|%5[Cc]|%2[Ff])?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; threshold:type limit, seconds 600, count 1, track by_src; reference:url,travisgreen.net/2025/08/11/CVE-2025-8088.html; reference:cve,2025-8088; classtype:bad-unknown; sid:2063967; rev:2; metadata:attack_target Client_Endpoint, created_at 2025_08_11, cve CVE_2025_8088, deployment Perimeter, performance_impact Moderate, confidence High, signature_sever
Sigma
WinRAR Creating Files in Startup Locations
sigma·CVSS 7.8
CVE-2025-6218 [HIGH] WinRAR Creating Files in Startup Locations
WinRAR Creating Files in Startup Locations
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
Detection:
condition: selection
selection:
Image|endswith:
- \WinRAR.exe
- \Rar.exe
TargetFilename|contains: \Start Menu\Programs\Startup\
Log Source: category: file_event
product: windows
No public exploits indexed.
Hackernews
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse
blogs_hackernews·2026-06-29·CVSS 8.8
CVE-2025-8088 [HIGH] Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse
A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025.
Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these efforts include Ukrainian governmental and military institutions.
"Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine," ESE
Hackernews
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
blogs_hackernews·2026-06-26
CVE-2025-8088 Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy.
Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (GTIG) said the cyber espionage tool shares significant code and functional overlaps with Kazuar , a staple implant put to use by the adversary since 2017. Suspe
Eset
Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
blogs_eset·2026-06-25
CVE-2025-8088 Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
Cyberespionage has remained a constant feature of Russia’s war against Ukraine. ESET Research has long tracked Gamaredon, one of the most active Russia-aligned advanced persistent threat (APT) groups targeting Ukraine. The group, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s FSB, maintained a high operational tempo throughout 2025.
In our latest research, we analyze Gamaredon’s activity during 2025, including new tools added to its arsenal, significant shifts in how it protects its network infrastructure, and its growing use of legitimate third-party services to hide both command and control (C&C) information and stolen data. The full technical details are available in our latest white paper.
Key points of this blogpost:
Throug
Checkpoint
15th June – Threat Intelligence Report
blogs_checkpoint·2026-06-15·CVSS 9.8
CVE-2026-35273 [CRITICAL] 15th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
The University of Nottingham, a UK research university, has suffered a data breach after ShinyHunters accessed its student records system. The incident affected about 454,600 current and former students and exposed contact details, passport numbers, enrollment information, and fee payment records later appeared online. According
Hackernews
WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
blogs_hackernews·2026-06-09·CVSS 8.8
CVE-2025-8088 [HIGH] WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025-8088 , a path traversal flaw that allows an attacker to write files outside the extraction directory via NTFS Alternate Data Streams (ADS). It was patched by WinRAR in July 2025.
The findings show "how un
Hackernews
Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
blogs_hackernews·2026-06-02·CVSS 8.4
CVE-2025-8088 [HIGH] Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation.
Per Sekoia, the activity involves the weaponization of CVE-2025-8088 , a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an intermediate Visual Basic Script (VBScript) downloaders codenamed GammaLoad. The infection chain was observed by the French cybersecurity company in January 2026.
Hackernews
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
blogs_hackernews·2026-05-14·CVSS 7.8
CVE-2023-38831 [HIGH] Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine.
Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
"FrostyNeighbor has been running continual cyber operations, changing and updating
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Checkpoint
9th February – Threat Intelligence Report
blogs_checkpoint·2026-02-09
CVE-2026-1281 9th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 9th February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Romania’s national oil pipeline operator, Conpet, has suffered a cyberattack that disrupted its IT systems and took its website offline. The company said operational technology, including pipeline control and telecommunications systems, remained fully functional and oil transport continued without interruption. The attack
Checkpoint
Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia
blogs_checkpoint·2026-02-04·CVSS 8.4
CVE-2025-8088 [HIGH] Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia
## Key Points
Check Point Research (CPR) has been tracking Amaranth-Dragon, a nexus of APT-41 , pr
Bleepingcomputer
New Amaranth Dragon cyberespionage group exploits WinRAR flaw
blogs_bleepingcomputer·2026-02-04·CVSS 8.4
CVE-2025-8088 [HIGH] New Amaranth Dragon cyberespionage group exploits WinRAR flaw
## New Amaranth Dragon cyberespionage group exploits WinRAR flaw
## Bill Toulas
A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, exploited the CVE-2025-8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies.
The hackers combined legitimate tools with the custom Amaranth Loader to deliver encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure, for more accurate targeting and increased stealth.
According to researchers at cybersecurity company Check Point, Amaranth Dragon targeted organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.
The CVE-2025-8088 vulnerability can be exploited to write malicious files to arbitrary locations by levera
Checkpoint
2nd February – Threat Intelligence Report
blogs_checkpoint·2026-02-02
CVE-2025-8088 2nd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
MicroWorld Technologies, maker of eScan antivirus, has suffered a supply-chain compromise. Malicious updates were pushed via the legitimate eScan updater, delivering multi-stage malware that establishes persistence, enables remote access, and blocks automatic updates. In response, eScan shut down its global update service
Mandiant
Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
blogs_mandiant·2026-01-27·CVSS 8.4
CVE-2025-8088 [HIGH] Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
Threat Intelligence
# Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
January 27, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
### Introduction
The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw
Mandiant
Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
blogs_mandiant·2026-01-27·CVSS 8.4
CVE-2025-8088 [HIGH] Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
## Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
## Introduction
The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persi
Bleepingcomputer
WinRAR path traversal flaw still exploited by numerous hackers
blogs_bleepingcomputer·2026-01-27·CVSS 8.4
CVE-2025-8088 [HIGH] WinRAR path traversal flaw still exploited by numerous hackers
## WinRAR path traversal flaw still exploited by numerous hackers
## Bill Toulas
Multiple threat actors, both state-sponsored and financially motivated, are exploiting the CVE-2025-8088 high-severity vulnerability in WinRAR for initial access and to deliver various malicious payloads.
The security issue is a path traversal flaw that leverages Alternate Data Streams (ADS) to write malicious files to arbitrary locations. Attackers have exploited this in the past to plant malware in the Windows Startup folder, for persistence across reboots.
Researchers at cybersecurity company ESET discovered the vulnerability and reported in early August 2025 that the Russia-aligned group RomCom had been exploiting it in zero-day attacks.
In a report today, the Google Threat Intelligence Group (GTIG) s
Securelist
Exploits and vulnerabilities in Q3 2025
blogs_securelist·2025-12-03·CVSS 7.8
CVE-2025-49704 [HIGH] Exploits and vulnerabilities in Q3 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass
CVE-2025-8088: a directory traversal vulnerability in WinRAR
CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools
Conclusion and advice
Authors
Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vuln
Securelist
Analyzing the vulnerability landscape in Q3 2025
blogs_securelist·2025-12-03
Analyzing the vulnerability landscape in Q3 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.
## Statistics on
Tenable
7 Questions EDR Providers Hope You Won’t Ask About Their “Exposure Management” Solution
blogs_tenable·2025-11-05
7 Questions EDR Providers Hope You Won’t Ask About Their “Exposure Management” Solution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Eliminate WinRAR CVE-2025-8088 with TruRisk Eliminate | Qualys
blogs_qualys·2025-09-05·CVSS 8.4
CVE-2025-8088 [HIGH] Eliminate WinRAR CVE-2025-8088 with TruRisk Eliminate | Qualys
#### Table of Contents
- Active Exploitation: Threat Actors Move Quickly
- TruRisk Eliminate: A Complete Response Strategy
- Decision Flow: Responding to CVE-2025-8088 with TruRisk Eliminate
- Conclusion: One Platform, Many Paths to Resilience
- Frequently Asked Questions (FAQs)
# The Risk Behind the WinRAR Vulnerability
A newly disclosed path traversal vulnerability (CVE-2025-8088) in WinRAR leaves millions of Windows systems exposed to attack. This flaw enables adversaries to craft malicious archives that bypass the user’s chosen extraction path, forcing files into unintended system locations.
All versions of WinRAR up to 7.12 are impacted, making this not just a software bug but an enterprise-scale risk. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog undersc
Qualys
CVE-2025-8088 WinRAR Exploit: From Zero-Day to Zero-Risk with TruRisk™ Eliminate
blogs_qualys·2025-09-05·CVSS 8.4
CVE-2025-8088 [HIGH] CVE-2025-8088 WinRAR Exploit: From Zero-Day to Zero-Risk with TruRisk™ Eliminate
## Table of Contents
Active Exploitation: Threat Actors Move Quickly
TruRisk Eliminate: A Complete Response Strategy
Decision Flow: Responding to CVE-2025-8088 with TruRisk Eliminate
Conclusion: One Platform, Many Paths to Resilience
Frequently Asked Questions (FAQs)
## The Risk Behind the WinRAR Vulnerability
A newly disclosed path traversal vulnerability ( CVE-2025-8088 ) in WinRAR leaves millions of Windows systems exposed to attack. This flaw enables adversaries to craft malicious archives that bypass the user’s chosen extraction path, forcing files into unintended system locations.
All versions of WinRAR up to 7.12 are impacted, making this not just a software bug but an enterprise-scale risk. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog underscores
Bleepingcomputer
Details emerge on WinRAR zero-day attacks that infected PCs with malware
blogs_bleepingcomputer·2025-08-11·CVSS 7.5
CVE-2025-8088 [HIGH] Details emerge on WinRAR zero-day attacks that infected PCs with malware
## Details emerge on WinRAR zero-day attacks that infected PCs with malware
## Bill Toulas
Researchers have released a report detailing how a recent WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day attacks by the Russian 'RomCom' hacking group to drop different malware payloads.
RomCom (aka Storm-0978 and Tropical Scorpius) is a Russian cyberespionage threat group with a history in zero-day exploitation, including in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884).
ESET discovered that RomCom was exploiting an undocumented path traversal zero-day vulnerability in WinRAR on July 18, 2025, and notified the team behind the popular archiver tool.
"Analysis of the exploit led to the discovery of the vulnerability, now assi
Bleepingcomputer
WinRAR zero-day exploited to plant malware on archive extraction
blogs_bleepingcomputer·2025-08-08·CVSS 8.4
CVE-2025-8088 [HIGH] WinRAR zero-day exploited to plant malware on archive extraction
## WinRAR zero-day exploited to plant malware on archive extraction
## Lawrence Abrams
A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
"When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path," reads the WinRAR 7.13 changelog .
"Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected."
Threat Intel
Amaranth-Dragon
threat_intel·CVSS 8.4
CVE-2025-8088 [HIGH] Amaranth-Dragon
# Threat Actor: Amaranth-Dragon
## Description
Amaranth-Dragon is a previously untracked threat actor assessed to be closely linked to the China-affiliated APT 41 ecosystem, exhibiting similar tooling and operational patterns. The group demonstrated technical maturity by rapidly operationalizing CVE-2025-8088, a vulnerability in WinRAR, shortly after its public disclosure. Check Point Research has identified multiple campaigns targeting Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines, with operations typically focused on one or two countries at a time. The overlaps in technical and operational indicators strongly suggest that Amaranth-Dragon is either affiliated with or part of the broader APT-41 ecosystem.
Eset
WinRAR zero-day exploited in espionage attacks against high-value targets
blogs_eset·CVSS 8.4
CVE-2025-8088 [HIGH] WinRAR zero-day exploited in espionage attacks against high-value targets
ESET researchers have uncovered a previously unknown vulnerability in WinRAR, actively being exploited by Russia-aligned group RomCom. Tracked as CVE-2025-8088, the path traversal flaw affects WinRAR's Windows version and lets threat actors execute arbitrary code by crafting malicious archive files. This marks at least the third time RomCom has leveraged a significant zero-day bug to conduct its operations, which underscores the group’s willingness to invest serious resources into its campaigns.
Meanwhile, if you use WinRAR, you should update to the tool's latest version (version 7.13) as soon as possible, if you haven't already.
What else is there to know about the attacks? Find out in the video from ESET Chief Security Evangelist Tony Anscombe and make sure to read the blogpost, too!
Eset
Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability
blogs_eset·CVSS 7.5
CVE-2023-36884 [HIGH] Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability
ESET researchers have discovered a previously unknown vulnerability in WinRAR, being exploited in the wild by Russia-aligned group RomCom. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild. Previous examples include the abuse of CVE-2023-36884 via Microsoft Word in June 2023, and the combined vulnerabilities assigned CVE‑2024‑9680 chained with another previously unknown vulnerability in Windows, CVE‑2024‑49039, targeting vulnerable versions of Firefox, Thunderbird, and the Tor Browser, leading to arbitrary code execution in the context of the logged-in user in October 2024.
> Key points of this blogpost:
>
> - If you use WinRAR or other affected components such as the Windows versions of its command line utilities, UnRA
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
# August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings fro
Recorded Future
August 2025 CVE Landscape
blogs_recorded_future·CVSS 8.8
[HIGH] August 2025 CVE Landscape
## August 2025 CVE Landscape
In August 2025, Recorded Future’s Insikt Group ® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings f
Wiz
CVE-2019-25677 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2019-25677 [HIGH] CVE-2019-25677 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25677 :
WinRAR vulnerability analysis and mitigation
WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a malformed winrar.lng language file in the installation directory. Attackers can trigger the crash by opening an archive and pressing the test button, causing an access violation at memory address 004F1DB8 when the application attempts to read invalid data.
Source : NVD
## 6.9
Score
Published April 5, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
WinRAR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:rarlab:w
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/https://support.dtsearch.com/faq/dts0245.htmhttps://www.vicarius.io/vsociety/posts/cve-2025-8088-detect-winrar-zero-dayhttps://www.vicarius.io/vsociety/posts/cve-2025-8088-mitigate-winrar-zero-day-using-srp-and-ifeohttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8088https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/#the-discovery-of-cve-2025-8088
2025-08-08
Published
2025-08-12
Added to CISA KEV
Exploited in the wild