—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Path Traversal Vulnerability in WinRAR 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

WinRAR for Windows (all versions up to and including 7.12)

Windows versions of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll

Overview

A directory traversal vulnerability has been reported in WinRAR which could allow a remote attacker to achieve persistence, gain unauthorized access, and perform further malicious activities on the affected system.

Target Audience:

All organizations and individuals using WinRAR.

Risk Assessment:

High risk of arbitrary code execution and persistent system compromise.

Impact Assessment:

Potential for persistent arbitrary code execution, data theft, and account takeover.

Description

WinRAR is a widely used file archiving utility that supports multiple compression formats, including RAR and ZIP.

This vulnerability exists due to insecure handling of directories and Alternate Data Streams (ADS) in specially crafted RAR archives, enabling directory traversal. An attacker could exploit this to place hidden executable or shortcut files in Windows Startup folders, leading to execution at system startup or user login.

Successful exploitation could allow the attacker to achieve persistence, gain unauthorized access, and perform further malicious activities on the affected system.

Note: CVE-2025-8088 is reported to be actively exploited in the wild.

Solution

Update to WinRAR version 7.13 or later as provided by the vendor as given below. WinRAR does not support automatic updates; manual installation of the latest version is required.

https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews[tt_news]=283

Vendor Information

WinRaR

https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews[tt_news]=283

References

 

https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/

CVE Name

CVE-2025-8088

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmicjg0ACgkQ3jCgcSdc

ys/z1g//Vi4zq5Rpr+6AdFk/BG88X/XIxVjWogOdfpGjUY2QRMERa42ihX3Fev+Q

Yw69UlkxNs4nVbDb91PG4pS5CLZJT/DGNGWNQ9PfOT3arrp53X5uPJGo2Q8ifC0X

9Jrt6qG9p5z+mIkgyDXntrbULHl3XA35pr7dMT+I6c71TSHNLS57OYwJDC7vrmiW

pqPNFElODA0hepmaYEiCt3Bt94CseLSF7xOK49OzU2eWup0jkrQz9dFNY2GtI762

9l441CHEocO7pKzhVZro8jJVO7rjmOyRGVpRcWshToYsoVbgvh8ILqLN4oyL+1Mq

GAk80EBgEWXMS7TyGvzpUyJAVy7DD/3N+VPs1gGJwHS8i/RBRzlLiTvw1Bi98Aia

csx66wyPG/HX2EHsMfxWZZvOPS7S7GmRX/ufYduBxjtbzPJRbazUmeKwF3w4Sadj

7q2oUHVgAT2+haIMg54OsUxHX77l64XRIDG3vhV+1wfhK4fask8scKG6GkQihLin

BqZGUGxky7EvbRWdUl/aQeeqg4+BXgBg+dSYY/A0NH8bOC0xmYmnqPGBzF+RJrOr

90Oeyte/n7LeJbBqb3IhlPcwfLJFSYXHxkXPfmAM6Xy0UJHQWyatMN4b/L8JQyHB

5N1KK6VaPZz7ZrUWGEsV3uYUPRgEYlXSfFcGG304M02DSa9U1fg=

=sqRg

—–END PGP SIGNATURE—–