A wide range of adversaries, including state-sponsored actors, are exploiting a WinRAR vulnerability that was patched last July, with researchers noting it remains active months after the fix. The flaw, CVE-2025-8088, is a high-severity path traversal vulnerability affecting the Windows version of WinRAR and was disclosed after being discovered by ESET.
Google Threat Intelligence Group published a blog detailing exploitation of CVE-2025-8088, according to the bug’s National Vulnerability Database listing, and noted that threat actors from China and Russia are targeting a global range of organisations. Exploitation began as early as 18 July 2025, with attackers crafting malicious RAR files that use Alternate Data Streams to conceal payloads and launch them on startup to gain persistence.
The researchers emphasised that the risk is amplified for small and midsized businesses, which often have WinRAR installed but not actively managed or updated.