Attackers are actively exploiting a zero-day on WinRAR, Eset reveals

A critical zero-day vulnerability in the popular file compression tool WinRAR, identified as CVE-2025-8088, is being actively exploited in phishing attacks to install the notorious RomCom malware. Cybersecurity researchers from ESET discovered the flaw, which allows attackers to gain remote code execution on a victim's system.

The vulnerability is a directory traversal flaw that was recently patched in WinRAR version 7.13. Attackers are exploiting this weakness by creating specially crafted archive files that, when opened, extract malicious executables into Windows' autorun paths, such as the Startup folder. This means the next time a user logs in, the malware automatically runs. The flaw affects Windows versions of WinRAR and related components, but not Unix or Android versions.

The hacking group behind these attacks is known as RomCom, a Russian-aligned threat actor also tracked as Storm-0978, Tropical Scorpius, or UNC2596. RomCom is known for its use of zero-day vulnerabilities and custom malware in campaigns that include ransomware, data theft, and credential stealing.

Because WinRAR lacks an auto-update feature, users are strongly urged to manually update to WinRAR 7.13 or a newer version immediately by downloading it from the official website, win-rar.com. This is the only way to protect against this specific vulnerability. Users should also be extremely cautious with email attachments and archive files from untrusted sources.

This incident serves as a stark reminder of the dangers of zero-day exploits and the importance of keeping all software, especially widely used applications, up to date.