CVE-2025-8088: Critical WinRAR Path Traversal — Zero-Day RCE

CVE-2025-8088 is a high-severity path traversal vulnerability affecting the file extraction process in WinRAR. The issue arises from the mishandling of NTFS Alternate Data Streams (ADS) within ZIP archives. This flaw allows an attacker to craft a malicious archive that, when unpacked by an unsuspecting user, extracts files to unintended locations—specifically the Windows Startup folder—without the user's knowledge. This leads to Remote Code Execution (RCE) upon the next system reboot.

The vulnerability exploits how WinRAR processes NTFS Alternate Data Streams. ADS is a feature in Windows that allows files to contain additional metadata. Attackers can create a specially crafted archive where a file entry includes a colon (:) to reference an ADS. By manipulating this, they can trick WinRAR into writing the payload outside the intended extraction folder. A common exploit scenario involves writing a script or executable into C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. Since the file is hidden in an ADS or created with deceptive naming, the user sees no suspicious files in the extraction folder, but the machine is compromised.

CVSS Score: 8.8 (High) This vulnerability has been actively exploited in the wild by threat actors, including the RomCom group and various APTs. The impact includes: • Remote Code Execution: Attackers gain control over the victim's machine. • Persistence: Malware survives reboots by residing in the Startup folder. • Data Theft: Once inside, attackers can exfiltrate sensitive documents and credentials.

This vulnerability affects WinRAR: • All versions prior to 7.13

The only effective remediation is to update the software. Option 1: Update WinRAR (Mandatory) Download and install the latest version (7.13 or newer) from the official WinRAR website (rarlab.com). The patch improves the validation of file names and NTFS streams during extraction. Option 2: Mitigation If you cannot update immediately, avoid extracting archives from untrusted sources. Security administrators can also block the execution of files originating from standard archive extraction paths using Endpoint Detection and Response (EDR) rules.

If your organization uses older versions of WinRAR, you are exposed to zero-day attacks. TEPTEZ can automatically scan your endpoints to identify vulnerable software versions like CVE-2025-8088. Our platform provides real-time visibility into your exposure and actionable remediation steps.