Google’s Threat Intelligence Group has confirmed widespread, ongoing exploitation of CVE-2025-8088, a critical vulnerability in WinRAR that was patched back in July 2025. Despite the availability of a fix, attackers continue to abuse this flaw to gain persistent access to Windows systems across government, military, and commercial environments.

For a detailed breakdown, see our BaseFortify CVE report: https://basefortify.eu/cve_reports/2025/08/cve-2025-8088.html — we annotate it with an EPSS score and provide a Q&A plus an AI Assistant enriched with knowledge from scraped resources.

This is not a zero-day problem. It is a visibility and update discipline problem.

What Went Wrong with WinRAR?

WinRAR is one of those tools that quietly exists on countless systems. It is often installed manually, updated infrequently, and—critically—does not include automatic updates.

CVE-2025-8088 is a path traversal vulnerability that allows attackers to write files outside the intended extraction directory when a specially crafted RAR archive is opened. In practice, attackers abuse this to drop files directly into the Windows Startup folder, ensuring execution at the next user login.

The vulnerability was fixed in WinRAR 7.13, released on July 30, 2025. Exploitation began before the final release and has continued ever since.

How the Exploit Works (Step by Step)

At a high level, the exploit chain looks deceptively simple:

1. A victim opens a malicious RAR archive
2. The archive contains a legitimate-looking decoy file (PDF, document, etc.)
3. Hidden inside the archive is a payload stored using Alternate Data Streams (ADS)
4. The archive uses directory traversal to extract the payload into:

   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

5. The payload executes automatically at the next login

An example of a malicious archive entry observed in the wild:

innocent.pdf:payload.lnk
../../../../../Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/payload.lnk

From the user’s perspective, they simply opened an archive and viewed a document. Persistence is already in place.

Why This Is So Effective

This attack does not rely on exotic techniques. It works because it combines:

• A trusted, widely installed application
• Manual patching requirements
• User interaction that looks completely benign
• A persistence mechanism native to Windows

Even well-defended environments struggle when software inventory and version awareness are incomplete.

How to Check If You’re Exposed

Check the Installed WinRAR Version (Windows)

From PowerShell:

Get-Item "C:\Program Files\WinRAR\WinRAR.exe" | Select-Object VersionInfo

Or via command line:

"C:\Program Files\WinRAR\WinRAR.exe" /?

If the version is lower than 7.13, the system is vulnerable.

Inspect the Startup Folder for Abuse

Attackers abusing CVE-2025-8088 frequently drop .lnk, .bat, .cmd, or .hta files.

Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"

Unexpected files here—especially those created recently—deserve immediate investigation.

Hunt for Suspicious Archive Activity

If you log process creation events, look for WinRAR extracting files directly into user profile Startup paths. That behavior is rarely legitimate.

What Remediation Actually Looks Like

Updating WinRAR is necessary—but not sufficient on its own.

Effective remediation includes:

• Immediate upgrade to WinRAR 7.13 or later
• Identifying all endpoints where WinRAR is installed
• Monitoring Startup directories for unexpected persistence
• Treating archive files as high-risk attachments, even from trusted sources
• Tracking software versions as part of your attack surface, not just inventory

This is where many organizations still struggle.

How BaseFortify Helps in Practice

BaseFortify focuses on what is actually installed, not what should be installed.

Instead of asking, “Did we patch this CVE?”, BaseFortify starts with a more operational question: Which components exist in my environment—and what are attackers doing with them right now?

For WinRAR, this means tracking it as a component using a standardized identifier (CPE). For example:

cpe:2.3:a:rarlab:winrar:7.12:*:*:*:*:windows:*

When a component like this exists in your environment, BaseFortify matches it to known vulnerabilities such as CVE-2025-8088, flags when a CVE is being actively exploited, and helps you prioritize remediation based on attacker behavior—not CVSS alone.

If you want to explore this approach yourself, you can register here: https://basefortify.eu/register.

A Broader Lesson from CVE-2025-8088

CVE-2025-8088 is not remarkable because of technical sophistication. It is remarkable because it continues to work.

Months after a patch was released, attackers still rely on this vulnerability to gain initial access across espionage operations and cybercrime alike. The lesson is uncomfortable but clear: attackers do not need new vulnerabilities when old ones remain invisible.

As long as organizations lack precise insight into what software is installed, where it runs, and how it is abused in the real world, n-day vulnerabilities will remain one of the most reliable tools in the attacker’s arsenal. Security, ultimately, is not only about reacting faster—it is about seeing more clearly.

Sources

• Security.nl — Google meldt grootschalig misbruik van bekende WinRAR-kwetsbaarheid — https://www.security.nl/posting/922417/
• Google Threat Intelligence Group — Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088 — https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability