Multiple state-sponsored and financially motivated actors are actively exploiting the high‑severity CVE-2025-8088 WinRAR path‑traversal vulnerability to gain initial access and deliver varied malicious payloads. The flaw leverages Alternate Data Streams to hide and extract LNK/HTA/BAT/CMD/script files (often into Startup folders) for persistence, with exploitation observed since July 18, 2025, including zero‑day use by RomCom. #CVE-2025-8088 #RomCom
Keypoints
- CVE-2025-8088 is a WinRAR path-traversal vulnerability that abuses Alternate Data Streams to write files to arbitrary locations.
- Attackers hide malicious ADS entries inside decoy archive files and extract LNK, HTA, BAT, CMD, or script files that execute on user login.
- Both state-sponsored groups (e.g., UNC4895/RomCom, APT44, Turla, TEMP.Armageddon) and financially motivated actors have exploited the flaw since July 2025.
- Delivered malware includes NESTPACKER (Snipbot), STOCKSTAY, POISONIVY, XWorm, AsyncRAT, Telegram-controlled backdoors, and malicious Chrome banking extensions.
- Exploit commoditization by sellers like “zeroplayer” has lowered barriers, enabling rapid targeting of unpatched systems with purchased zero-days and exploit chains.