WinRAR zero-day exploited in targeted espionage campaigns

On July 31, 2025, WinRAR released version 7.13 to address a critical vulnerability, tracked as CVE-2025-8088. The flaw affects all versions up to 7.12, allowing creation of malicious archive files that bypass extraction safeguards.

Threat actors could weaponize it to write malicious files to sensitive system paths, most notably the Windows Startup folder, enabling silent code execution. The flaw received a CVSS score of 8.8 out of 10.

Between July 18 and 21, researchers observed the RomCom advanced threat actor (APT) group, also known as Storm-0978 and Tropical Scorpius, using weaponized RAR files disguised as resumes in phishing campaigns targeting defense, finance, logistics, and manufacturing sectors in Europe and Canada.

Though no confirmed breaches have been disclosed, the researchers noted the use of decoy documents and custom payloads, suggesting a high level of operational maturity. Another group, Paper Werewolf, may have exploited the same flaw in separate attacks against Russian entities.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Field Effect MDR combines sophisticated attack surface and vulnerability monitoring to detect both known and unknown threats, including zero days.

WinRAR has historically been an attractive attack vector for advanced threat actors, likely due to the software’s ability to execute code during extraction, lack of file authenticity measures, and lack of auto-update.

Its use in enterprise settings could introduce additional risks—especially given its inconsistent patch adoption and history of exploited vulnerabilities. Organizations may consider alternatives with more robust security controls or sandboxing features.

• We recommend immediate deployment of WinRAR version 7.13 across all endpoints.
• Because WinRAR does not update automatically, organizations should treat this as a manual rollout and verify installation through endpoint management platforms.
• Organizations should also audit systems for the presence of suspicious RAR files received in recent weeks, particularly those masquerading as HR-related documents.
• Reinforce phishing awareness among users, especially those in high-risk departments like HR and finance. The use of decoy documents in these campaigns means traditional solutions may not flag the threat until after execution.
• Network segmentation and least privilege access can further limit the chance of a successful compromise.
• Finally, consider implementing application control policies that restrict the execution of binaries extracted from archive files.