WinRAR Flaw CVE-2025-8088 Still Exploited in 2026

Here is an uncomfortable fact: a WinRAR vulnerability patched back in mid-2025 is still being actively exploited in 2026, and the reason is depressingly simple. WinRAR does not auto-update, so an enormous installed base never got the fix, and attackers from state-backed espionage crews to commodity malware gangs are still cashing in. If you run any version below 7.13, you are the target.

Key takeaways

• CVE-2025-8088 (CVSS 8.8) is a path-traversal flaw in the Windows version of WinRAR that abuses alternate data streams to write files outside the extraction directory.
• It was patched in WinRAR 7.13 on July 30, 2025, but unpatched installs remain widely exploited into 2026.
• Russian and Chinese state-aligned groups, including APT44 and Turla, plus financially motivated crews, have all weaponized it.
• WinRAR does not auto-update, which is exactly why so many vulnerable copies persist. You must update it manually.
• The 7.13 fix also covers a second known-exploited flaw, CVE-2025-6218, so updating closes both.

How the attack works

When you extract an archive, you expect the files to land inside the folder you chose. CVE-2025-8088 breaks that assumption. By crafting an archive that uses path-traversal sequences combined with Windows alternate data streams, an attacker can force extracted files to land in a location of their choosing, such as the Windows Startup folder, so the payload runs automatically the next time you log in.

The victim only has to open or extract a malicious RAR file, often delivered through a phishing email or a fake download. From there, the planted file executes and the attacker gains a foothold. No further clicks, no obvious warning.

> phishing email a

Who is exploiting it, and what they drop

This is not one group or one payload. The flaw has been adopted across the threat spectrum, which is part of why it keeps showing up.

Actor type	Examples	Typical payload
State-aligned espionage	APT44 (Sandworm), Turla, RomCom	Backdoors, espionage implants
Financially motivated crews	Various commodity operators	Infostealers, remote-access trojans
Initial-access brokers	Opportunistic actors	Footholds sold to ransomware affiliates

The common thread is that they all rely on the same thing: someone running an outdated WinRAR who opens the wrong attachment.

Why it is still being exploited

The patch has existed for nearly a year, so why is this still a live threat? Because WinRAR has no automatic update mechanism. Each user has to download and install the new version themselves, and most never do. That leaves an enormous installed base of vulnerable copies, and attackers know it. Google's threat-intelligence team and Mandiant tracked continued exploitation through December, January, and beyond, using the flaw to deliver commodity remote-access trojans and infostealers alongside more targeted espionage payloads.

How to protect yourself

1. Update WinRAR to 7.13 or later. Download it directly from the official win-rar.com site and install over your existing copy. This is the single most important step.

2. Check every machine. WinRAR is often installed on family PCs, old laptops, and work machines that nobody maintains. Update all of them, not just your main computer.

3. Be skeptical of archive attachments. Treat unexpected RAR, ZIP, and other archive files in email as suspicious, even if they appear to come from someone you know.

4. Scan after extracting from untrusted sources. If you must open an archive you are unsure about, do it on a machine with up-to-date endpoint protection.

5. Consider built-in extraction. Modern Windows 11 can open RAR, 7z, and TAR archives natively, reducing reliance on third-party tools that you may forget to patch.

What to do tonight

• Open WinRAR, check Help > About, and confirm the version is 7.13 or later.
• If it is below 7.13, download the latest from win-rar.com and install it now.
• Audit other PCs in your household and at work; update or uninstall any old copies.
• Delete or quarantine any unexpected archive attachments sitting in your inbox.
• If you opened a risky archive recently, run a full malware scan and a data-breach exposure check.

Why archive bugs are so effective

Archives are a near-perfect malware delivery vehicle, which is why a flaw like this keeps paying off for attackers. A RAR or ZIP file looks innocuous, routinely arrives by email, and is often whitelisted or waved through by users who extract attachments without a second thought. The path-traversal trick adds a nasty twist: you think you are extracting files into a folder you chose, but the malicious archive quietly writes one into a location that auto-runs, such as the Startup folder. The user sees the files they expected and never notices the extra payload that was planted alongside them.

That combination, a familiar file type, a trusted action (extracting), and a silent write to an auto-execute location, is exactly why endpoint defenses struggle. Nothing looks overtly wrong at the moment of extraction. The malicious behavior happens at the next login, by which point the connection to the archive is easy to miss. Patching removes the path-traversal capability entirely, which is far more reliable than hoping detection catches every variant.

The bigger lesson on unpatched software

This flaw is a textbook example of how a single unpatched utility becomes a long-tail threat. The malware delivered through it, especially infostealers, harvests browser passwords, session cookies, and crypto wallets that fuel the next wave of attacks. Our guides on protecting against infostealer cookie and session theft and defending against ClickFix fake-CAPTCHA lures cover what those payloads do once they land.

The wider takeaway: keep every piece of software current, not just the operating system. Tools without auto-update are the ones most likely to bite you, precisely because they fade into the background and never prompt you to patch.

Frequently asked questions

Does this affect Mac or Linux WinRAR builds?

The actively exploited path-traversal behavior tied to alternate data streams is specific to the Windows version of WinRAR. Still, updating to the current release across all platforms is good hygiene.

I have WinRAR but rarely use it. Should I still update?

Yes. The risk is in opening a malicious archive, and a dormant but installed copy is still the program that handles RAR files when you double-click one. Update it or uninstall it entirely.

How do I check my WinRAR version?

Open WinRAR, go to the Help menu, and choose About. If it reports anything below 7.13, you are vulnerable and should update immediately.

Will antivirus catch a malicious archive?

Modern endpoint protection may detect known payloads, but signature evasion is common and the path-traversal trick itself can slip past basic scanning. Patching removes the underlying flaw rather than relying on detection after the fact.

Can I just use Windows to open archives instead?

Largely, yes. Windows 11 now extracts RAR, 7z, and TAR archives natively. For everyday extraction that removes the need for WinRAR, though dedicated tools still offer more features like creating and encrypting archives.