Russian APTs Exploit Patched WinRAR Path‑Traversal Flaw (CVE‑2025‑8088) Threatens Credential Harvesting
What It Is – CVE‑2025‑8088 is a path‑traversal vulnerability in WinRAR that allows an attacker to write arbitrary files outside the extraction directory via NTFS Alternate Data Streams. Although patched in WinRAR 7.13 (July 2025), threat‑actors continue to weaponise the flaw in the wild.
Exploitability – Active exploitation by two Russian‑linked APT groups (Earth Dahu/Gamaredon and SHADOW‑EARTH‑066) has been confirmed. Public proof‑of‑concept samples exist; the CVSS base score is 8.4 (High).
Affected Products – WinRAR versions prior to 7.13 on Windows systems. Organizations that have not applied the July 2025 update remain vulnerable.
TPRM Impact – The flaw is a classic supply‑chain risk: a widely‑deployed third‑party utility is leveraged to deliver credential‑stealing payloads without user interaction. Compromise of a single vendor’s software can cascade into the networks of dozens of downstream customers, especially in government and enterprise environments that rely heavily on WinRAR for daily operations.
Recommended Actions –
- Verify that all Windows endpoints run WinRAR 7.13 or later; remediate any legacy installations immediately.
- Enforce application whitelisting or block extraction of RAR archives from email clients and web gateways.
- Deploy endpoint detection rules for hidden LNK shortcuts placed in the Startup folder and for PowerShell loaders that invoke direct NT system calls.
- Conduct user‑awareness training focused on spear‑phishing archives that appear to contain legitimate documents (e.g., court summons, military registries).
- Monitor for anomalous file writes to
C:\ProgramData\andC:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
Source: Security Affairs – Russian APTs Still Exploiting Patched WinRAR Flaw CVE‑2025‑8088