WinRAR Zero-Day Vulnerability exploited to Plant RomCom Backdoors via Archive Extraction

Advisory ID: NCC-CSIRT-2025-010

Summary: 

Security experts at ESET found a serious vulnerability in WinRAR (CVE-2025-8088) that hackers were already using. They sent specially made RAR files which, when opened in older versions of WinRAR, secretly installed harmful programs that run every time the computer starts. This gave attackers control through malware called RomCom, often sent in phishing emails. WinRAR has fixed the problem in version 7.13, and everyone should update immediately to stay safe. 

Damage/Probability: MEDIUM/Critical

Product(s): 

WinRAR for Windows

Version(s): 

Versions before 7.13

Platform(s): 

Windows OS

Description: 

This security vulnerability affects WinRAR versions before 7.13. It lets hackers hide files in a RAR archive that, when opened, can put those files anywhere on your computer, not just in the folder you chose.

In real attacks, hackers sent these malicious RAR files in phishing emails. When people opened them, the files were secretly placed in the computer’s Startup folder so they would run every time the computer turned on. These files installed a harmful program called RomCom, which lets attackers control the computer, steal data, and spread to other systems.

The problem is fixed in WinRAR 7.13, which stops files from being placed outside the chosen extraction folder. Everyone should update as soon as possible..

Impacts: 

If exploited, this flaw can let hackers break into computers, secretly install tools to keep access, steal passwords, move through other systems in the network, and possibly demand ransom or steal sensitive information. The risk is much higher for organizations that let staff open RAR files on their computers without security checks.

Solutions: 

• Update WinRAR to the latest version (7.13+) or uninstall it if you do not require it. Use vendor downloads from the official site.
• Do not extract RAR files received by email unless you can validate the sender and expected content. Prefer vendors that provide password-protected downloads via trusted portals rather than email attachments.
• Enable endpoint protection and ensure it is up to date; run a full system scan if you recently opened a RAR attachment.
• If you suspect infection, disconnect the machine from networks, preserve evidence, and contact your IT/security team or a reputable incident response provider.

References:

• https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/

• https://franetic.com/google-data-breach-exposed-potential-ads-customer-info/

• https://techcrunch.com/2025/08/06/google-says-hackers-stole-its-customers-data-in-a-breach-of-its-salesforce-database/

• https://hackread.com/google-salesforce-data-breach-shinyhunters-vishing-scam/