WinRAR path traversal flaw still exploited by numerous hackers

Recorded: Jan. 27, 2026, 8 p.m.

Original

News

Featured
Latest

New ClickFix attacks abuse Windows App-V scripts to push malware

Microsoft patches actively exploited Office zero-day vulnerability

Nearly 800,000 Telnet servers exposed to remote attacks

Cloudflare misconfiguration behind recent BGP route leak

OpenAI's ChatGPT ad costs are on par with live NFL broadcasts

Fortinet blocks exploited FortiCloud SSO zero day until patch is ready

Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor

WinRAR path traversal flaw still exploited by numerous hackers

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityWinRAR path traversal flaw still exploited by numerous hackers

WinRAR path traversal flaw still exploited by numerous hackers

By Bill Toulas

January 27, 2026
02:38 PM
2

Multiple threat actors, both state-sponsored and financially motivated, are exploiting the CVE-2025-8088 high-severity vulnerability in WinRAR for initial access and to deliver various malicious payloads.
The security issue is a path traversal flaw that leverages Alternate Data Streams (ADS) to write malicious files to arbitrary locations. Attackers have exploited this in the past to plant malware in the Windows Startup folder, for persistence across reboots.
Researchers at cybersecurity company ESET discovered the vulnerability and reported in early August 2025 that the Russia-aligned group RomCom had been exploiting it in zero-day attacks.

In a report today, the Google Threat Intelligence Group (GTIG) says that exploitation started as early as July 18, 2025, and continues to this day from both state-backed espionage actors and lower-tier, financially motivated cybercriminals.
"The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive.
"While the user typically views a decoy document, such as a PDF, within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data," Google researchers explain.
When opened, WinRAR extracts the ADS payload using directory traversal, often dropping LNK, HTA, BAT, CMD, or script files that execute on user login.
Among the state-sponsored threat actors that Google researchers observed exploiting CVE-2025-8088 are:
UNC4895 (RomCom/CIGAR) delivering NESTPACKER (Snipbot) via spearphishing to Ukrainian military units.
APT44 (FROZENBARENTS) using malicious LNK files and Ukrainian-language decoys for follow-on downloads.
TEMP.Armageddon (CARPATHIAN) dropping HTA downloaders into Startup folders (activity ongoing into 2026).
Turla (SUMMIT) delivering the STOCKSTAY malware suite using Ukrainian army themes.
China-linked actors using the exploit to deploy POISONIVY, dropped as a BAT file that downloads additional payloads.

Exploitation timelineSource: Google
Google also observed financially motivated actors exploiting the WinRAR path-traversal flaw to distribute commodity remote access tools and information stealers such as XWorm and AsyncRAT, Telegram bot-controlled backdoors, and malicious banking extensions for the Chrome browser.
All these threat actors are believed to have sourced working exploits from specialized suppliers, such as one using the alias “zeroplayer,” who advertised a WinRAR exploit last July.
The same threat actor has also marketed multiple high-value exploits last year, including alleged zero-days for Microsoft Office sandbox escape, corporate VPN RCE, Windows local privilege escalation, and bypasses for security solutions (EDR, antivirus), selling them for prices between $80,000 and $300,000.
Google comments that this reflects the commoditization of exploit development, which is crucial in the cyberattacks lifecycle, reducing the friction and complexity for attackers and enabling them to target unpatched systems in a short time.

7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
Download Now

Related Articles:
Google fixes two Android zero days exploited in attacks, 107 flawsCISA says critical VMware RCE flaw now actively exploitedApple fixes two zero-day flaws exploited in 'sophisticated' attacksCISA confirms active exploitation of four enterprise software bugsHackers exploit critical telnetd auth bypass flaw to get root

Actively Exploited
Google
Path Traversal
Vulnerability
WinRAR

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Comments

Zurv - 4 hours ago

oh my. Do people still install this?

xmris - 4 hours ago

well, some people have no brain to update to the patched 7.13 and stay on an older version.

Popular Stories

Microsoft patches actively exploited Office zero-day vulnerability

Microsoft investigates Windows 11 boot failures after January updates

Microsoft releases emergency OOB update to fix Outlook freezes

Sponsor Posts

Get a free shadow AI inventory today

Discover how phishing kits are sold and deployed. Download the full research report.

Is your data already on a leak site? Monitor your exposure threats for free.

Overdue a password health-check? Audit your Active Directory for free

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

This BleepingComputer article details the ongoing exploitation of a path traversal vulnerability (CVE-2025-8088) within the WinRAR archive utility by a diverse range of cyber threat actors. Google Threat Intelligence Group (GTIG) identified that this vulnerability, initially reported in early August 2025, is still actively exploited as of January 2026. The core of the issue lies in the ability of attackers to leverage Alternate Data Streams (ADS) to write malicious files to arbitrary locations within a system, often utilizing directory traversal techniques.

The report identifies several distinct groups engaged in exploiting this flaw. State-sponsored actors, including UNC4895 (RomCom/CIGAR) and APT44 (FROZENBARENTS), have been deploying malware under the banners of NESTPACKER and LNK files, respectively, targeting Ukrainian military units. TEMP.Armageddon (CARPATHIAN) has been persistently dropping HTA downloaders into Startup folders, extending their activity into 2026. Additionally, Turla (SUMMIT) has utilized the vulnerability to deploy the STOCKSTAY malware suite, themed with Ukrainian army imagery. Finally, China-linked actors have employed the vulnerability to deploy POISONIVY, distributed as a BAT file that downloads additional payloads.

Beyond state-sponsored threats, the article highlights the exploitation by financially motivated cybercriminals. Google researchers observed these actors distributing commodity remote access tools like XWorm and AsyncRAT, leveraging Telegram bot-controlled backdoors, and deploying malicious Chrome browser extensions for banking fraud. The article’s emphasis rests on the fact that these attackers sourced working exploits from specialized suppliers, most notably “zeroplayer,” who advertised a WinRAR exploit last July. This supplier has also marketed multiple high-value exploits targeting Microsoft Office sandbox escapes, corporate VPNs, Windows local privilege escalation, and bypassing security solutions (EDR, antivirus) for prices ranging from $80,000 to $300,000. This reflects the increasing commoditization of exploit development, reducing the complexity and friction in the cyberattack lifecycle and contributing to a rapid targeting of unpatched systems.

The ongoing nature of this exploitation underscores several significant security concerns. First, the diversity of threat actors involved indicates a broad appeal of the vulnerability, making it attractive to both sophisticated nation-state groups and less experienced cybercriminals. Second, the commoditization of exploit development suggests a decrease in the cost of launching attacks, making attacks more feasible for a wider range of actors. Lastly, the fact that this vulnerability is still being actively exploited in 2026 demonstrates the urgency of patching systems to prevent further compromise. Google's analysis reinforces the critical need for regular patching and vulnerability scanning, alongside other foundational security measures, to mitigate the risk posed by exploited vulnerabilities like this path traversal flaw in WinRAR.