BURSTA critical zero-day vulnerability has been identified in WinRAR that cybercriminals are actively exploiting through sophisticated phishing campaigns to distribute RomCom malware.
The flaw, designated as CVE-2025-8088, represents a significant security threat with a CVSS v3.1 score of 8.4, enabling attackers to execute arbitrary code on victims’ systems through malicious archive files.
Key Takeaways
1. WinRAR vulnerability lets attackers plant malware through malicious archives.
2. Criminals exploit this via phishing to deploy RomCom malware on Windows systems.
3. Update to WinRAR 7.13 immediately.
Path Traversal Flaw Exploited in Wild
The vulnerability stems from a directory traversal weakness that affects Windows versions of WinRAR, including RAR, UnRAR, portable UnRAR source code, and UnRAR.dll components.
When users extract files from specially crafted archives, the malicious payload can manipulate the extraction process to place files in unintended system locations, bypassing user-specified destination paths.
ESET security researchers Anton Cherepanov, Peter Košinár, and Peter Strýček discovered this critical flaw and confirmed its active exploitation in real-world attacks.
The vulnerability allows threat actors to implement a path traversal attack, where malicious archives contain embedded file paths that override legitimate extraction destinations.
This technique enables attackers to place executable files in sensitive system directories, potentially achieving privilege escalation and persistence mechanisms on compromised systems.
The exploitation methodology involves crafting archives with manipulated directory structures that exploit the file path validation bypass.
When victims extract these archives using vulnerable WinRAR versions, the malware automatically executes without requiring additional user interaction, making it particularly dangerous for unsuspecting users.
RomCom Malware Campaign
Cybercriminals have weaponized this zero-day vulnerability specifically to distribute RomCom malware through targeted phishing campaigns.
The attack chain typically begins with social engineering tactics, where victims receive seemingly legitimate compressed files via email attachments or malicious download links.
These archives contain the RomCom payload disguised as legitimate documents or software installers.
The RomCom malware campaign demonstrates sophisticated APT-style tactics, utilizing the WinRAR vulnerability as an initial access vector.
Once successfully deployed, the malware establishes command and control communications, enabling threat actors to perform reconnaissance, lateral movement, and data exfiltration activities within compromised networks.
Security analysts note that this attack vector is particularly effective because compressed archives are commonly shared in business environments, making detection challenging for traditional security solutions that may not thoroughly inspect archive contents before extraction.
| Risk Factors | Details |
| Affected Products | – Windows versions of WinRAR- Windows versions of RAR- Windows versions of UnRAR- Portable UnRAR source code- UnRAR.dll |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | – User must extract a specially crafted malicious archive- Social engineering (phishing emails/malicious downloads)- No additional user interaction required after extraction |
| CVSS 3.1 Score | 8.4 (High) |
Mitigations
WinRAR developers have addressed this critical vulnerability in version 7.13, released on July 30, 2025.
The security patch specifically fixes the directory traversal flaw that differs from the previous vulnerability addressed in WinRAR 7.12.
Importantly, Unix versions of RAR, UnRAR, portable UnRAR source code, UnRAR library, and RAR for Android remain unaffected by this Windows-specific vulnerability.
Organizations and individual users must immediately update to WinRAR 7.13 or later versions to mitigate exploitation risks.
Additional protective measures recommended include scanning compressed files with updated endpoint detection solutions before extraction and restricting archive handling privileges in enterprise environments to minimize potential attack surfaces.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
The post WinRAR 0-Day in Phishing Attacks to Deploy RomCom Malware appeared first on Cyber Security News.