WinRAR Zero-Day Exploited in Active Phishing Campaigns

This vulnerability enables a malicious RAR archive to override the default extraction path and drop files into Windows startup folders:

• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (per-user)
• %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (system-wide)

Once placed there, these files execute automatically on the next system reboot — no further user action required. A single extract could open the door to a full compromise.

Security researchers at ESET — Anton Cherepanov, Peter Košinár, and Peter Strýček — have confirmed active exploitation by RomCom (also tracked as Storm-0978, Tropical Scorpius, UNC2596), a threat actor linked to cyber-espionage. Attackers deliver malicious RAR files via phishing emails. When opened in a vulnerable WinRAR version, the payload silently lands in the startup folders, ensuring execution on the next boot.

The entire attack chain depends on something as simple as opening an archive — making it both effective and dangerous.

The WinRAR team has released version 7.13 to patch this flaw. However, WinRAR does not update automatically — you must download and install the new version manually from the official WinRAR website.

Recommended actions:

• Update immediately to WinRAR 7.13 or later.
• Train users to treat unsolicited RAR attachments with caution.
• Strengthen email filtering and phishing detection measures.

This is not an update to postpone — active exploitation means every unpatched system is at risk. Closing the gap now is far easier than cleaning up after an intrusion.

While WinRAR relies on manual updates, your patch management doesn’t have to. With ManageEngine Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can automatically detect vulnerable versions of WinRAR across your network and deploy the patch to every endpoint in a single action. No chasing users, no waiting — just fast, centralized patching that closes the door on this threat before it can knock.