WinRAR Zero-Day: Why Opening That “CV” Could Autostart Malware
The Hacker News reports that WinRAR for Windows has patched an actively exploited zero-day (CVE-2025-8088, CVSS 8.8). The bug is a path-traversal flaw: booby-trapped RAR archives can force files to extract outside the chosen folder—into sensitive spots like Startup—to run code on next log-in. ESET linked live exploitation to Russia-aligned groups including RomCom and Paper Werewolf; the lure has often been CV-themed emails. The fix is WinRAR 7.13 (30 July 2025). Older Windows builds of WinRAR/RAR/UnRAR and UnRAR.dll are affected; user interaction is required. Separately, 7-Zip 25.01 addressed a low-severity symlink issue. Bottom line: update now.
If you still unzip everything like it’s 2005, it’s time for a brew and an update. Researchers have found a WinRAR zero-day (CVE-2025-8088) that lets a malicious archive sneak files outside the folder you picked—straight into places Windows loves to auto-run. Open the wrong “job application” and you’ve accidentally booked malware a permanent room in your Startup folder.
Who’s abusing it?
ESET says Russia-aligned actors, including RomCom and Paper Werewolf, have been flinging weaponised RARs at targets in Europe and Canada. The trick uses alternate data streams and a bit of path mischief so the payload lands where it shouldn’t, then fires on next log-in.
What fixes it?
WinRAR 7.13. There’s no auto-update, so you’ll need to install it yourself. Anything up to 7.12 is fair game for attackers. While you’re tidying, note that 7-Zip also patched a minor symlink quirk in 25.01.
Quick safety checklist
• Update WinRAR to 7.13 (and 7-Zip to 25.01 if you use it).
• Treat unexpected RARs—especially CVs and invoices—like suspicious parcels.
• Consider blocking RAR attachments at the email gateway until you’ve patched.
TL;DR: It’s not the unzipping that’ll get you, it’s where the files end up. Patch now and carry on.