Heads Up: If you use WinRAR, update it now to version 7.13 or newer.

WinRAR, the free file archiver used by millions worldwide, was found at the center of a zero-day vulnerability.

ESET, a security firm, found a flaw in WinRAR (CVE-2025-8088) that enabled attackers to write files outside of the extraction directory using a decade-old feature, Alternate Data Streams(ADS) and path traversal(..\..), of Windows that still present in the NTFS file system.

What happened?

This flaw let attackers make malicious .rar archives containing specially formatted file paths. These archives could then write data outside the folder where the user intended to extract them. By using a combination of path traversal sequences with NTFS Alternate Data Stream (ADS), they bypassed WinRAR’s normal checks which could lead to silent malware drop into Startup folder, %TEMP%, or %LOCALAPPDATA%.

This was not a memory corruption or kernel exploit. This was a classic input sanitization flaw. The attackers simply needed to convince a user to extract a malicious archive.

How It Was Exploited

Researchers tracked the Russian threat group RomCom APT (also known as Tropical Scorpius or Storm-0978) exploiting this bug to deploy several types of malware, including:

• Mythic Agent: a command and control framework.
• SnipBot: a modular loader with…