# WinRAR Zero-Day Exploited in Active Phishing Campaigns

A new zero-day vulnerability in WinRAR (**CVE-2025-8088**) is under active exploitation, with attackers leveraging it in targeted phishing campaigns. The flaw, a directory traversal vulnerability, impacts Windows versions of WinRAR, RAR, UnRAR, portable UnRAR, and UnRAR.dll.

## What’s the Issue?

This vulnerability enables a malicious RAR archive to override the default extraction path and drop files into Windows startup folders:

- `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` (per-user)
- `%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp` (system-wide)

Once placed there, these files execute automatically on the next system reboot — no further user action required. A single extract could open the door to a full compromise.

## How It’s Being Exploited

Security researchers at ESET — Anton Cherepanov, Peter Košinár, and Peter Strýček — have confirmed active exploitation by RomCom (also tracked as Storm-0978, Tropical Scorpius, UNC2596), a threat actor linked to cyber-espionage.

Attackers deliver malicious RAR files via phishing emails. When opened in a vulnerable WinRAR version, the payload silently lands in the startup folders, ensuring execution on the next boot.

The entire attack chain depends on something as simple as opening an archive — making it both effective and dangerous.

## What You Should Do

The WinRAR team has released version **7.13** to patch this flaw. However, WinRAR does not update automatically — you must download and install the new version manually from the official WinRAR website.

**Recommended actions:**

- Update immediately to WinRAR 7.13 or later.
- Train users to treat unsolicited RAR attachments with caution.
- Strengthen email filtering and phishing detection measures.

This is not an update to postpone — active exploitation means every unpatched system is at risk. Closing the gap now is far easier than cleaning up after an intrusion.

## Automating Your Response with ManageEngine

While WinRAR relies on manual updates, your patch management doesn’t have to. With ManageEngine [Endpoint Central](https://pitstop.manageengine.com/portal/en/community/topic/winrar-7-13-x64-security-vulnerability-%E2%80%93-immediate-patch-advisory), [Patch Manager Plus](https://pitstop.manageengine.com/portal/en/community/topic/winrar-7-13-x64-security-vulnerability%E2%80%93-immediate-patch-advisory), or [Vulnerability Manager Plus](https://pitstop.manageengine.com/portal/en/community/topic/winrar-7-13-x64-security-vulnerability%E2%80%93-immediate-patch-advisory-11-8-2025), you can automatically detect vulnerable versions of WinRAR across your network and deploy the patch to every endpoint in a single action. No chasing users, no waiting — just fast, centralized patching that closes the door on this threat before it can knock.